Analysis

  • max time kernel
    26s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 16:21

Errors

Reason
Machine shutdown

General

  • Target

    DefenderRemover (2).exe

  • Size

    823KB

  • MD5

    879e3d30cc1392370ab0eec1601aa1b6

  • SHA1

    c85e5eb120d860b0a67e3f091d5e7c29a7643bfd

  • SHA256

    704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

  • SHA512

    71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44

  • SSDEEP

    12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 64 IoCs
  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • UAC bypass 3 TTPs 5 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

    Disable Windows Driver Blocklist via Registry.

  • Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs

    Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 5 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 25 IoCs
  • Runs .reg file with regedit 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe
    "C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c .\Script_Run.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\choice.exe
        choice /C:yas /N
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe
            C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe {D5D30325-AA08-49F3-913E-DC1E86598E65}
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            PID:2384
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:3248
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Runs .reg file with regedit
              PID:920
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3904
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1900
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:1708
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
              6⤵
              • Windows security bypass
              • Runs .reg file with regedit
              PID:2356
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4500
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Runs .reg file with regedit
              PID:1900
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:388
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1744
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:5000
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
              6⤵
              • Modifies data under HKEY_USERS
              • Runs .reg file with regedit
              PID:2732
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4156
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:920
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
              6⤵
              • Runs .reg file with regedit
              PID:3164
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4560
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4796
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
              6⤵
              • Runs .reg file with regedit
              PID:4800
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3088
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5004
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4972
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
              6⤵
              • Runs .reg file with regedit
              PID:1912
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4840
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:2272
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4020
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
          4⤵
          • Executes dropped EXE
          PID:1368
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
              6⤵
              • Modifies firewall policy service
              • Modifies registry class
              • Runs .reg file with regedit
              PID:2056
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        3⤵
        • Executes dropped EXE
        PID:4484
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
          4⤵
          • Executes dropped EXE
          PID:1976
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5004
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
              6⤵
              • Runs .reg file with regedit
              PID:604
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
        3⤵
        • Executes dropped EXE
        PID:3264
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
          4⤵
          • Executes dropped EXE
          PID:3984
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
              6⤵
              • Runs .reg file with regedit
              PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        3⤵
        • Executes dropped EXE
        PID:4020
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
          4⤵
          • Executes dropped EXE
          PID:4136
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2436
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
              6⤵
              • Modifies registry class
              • Runs .reg file with regedit
              PID:212
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        3⤵
        • Executes dropped EXE
        PID:4740
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
          4⤵
          • Executes dropped EXE
          PID:1348
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:388
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2180
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2144
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        3⤵
        • Windows security bypass
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1452
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4772
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3060
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2936
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3436
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4576
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3956
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Runs .reg file with regedit
        PID:1336
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3052
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3024
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2412
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2112
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        3⤵
        • Executes dropped EXE
        PID:3492
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
          4⤵
          • Executes dropped EXE
          PID:2448
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:1108
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
              6⤵
              • Runs .reg file with regedit
              PID:1704
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        3⤵
        • Executes dropped EXE
        PID:228
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
          4⤵
          • Executes dropped EXE
          PID:3740
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2420
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
              6⤵
              • Boot or Logon Autostart Execution: LSASS Driver
              • Runs .reg file with regedit
              PID:4156
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        3⤵
        • Executes dropped EXE
        PID:4972
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
          4⤵
          • Executes dropped EXE
          PID:812
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:1900
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2032
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        3⤵
        • Executes dropped EXE
        PID:3780
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
          4⤵
          • Executes dropped EXE
          PID:3548
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:4740
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
              6⤵
              • Modify Registry: Disable Windows Driver Blocklist
              • Runs .reg file with regedit
              PID:1912
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        3⤵
        • Executes dropped EXE
        PID:1560
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
          4⤵
          • Executes dropped EXE
          PID:212
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2180
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
              6⤵
              • Modifies data under HKEY_USERS
              • Runs .reg file with regedit
              PID:4560
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        3⤵
        • Executes dropped EXE
        PID:4520
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
          4⤵
          • Executes dropped EXE
          PID:4796
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2356
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
              6⤵
              • Runs .reg file with regedit
              PID:912
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        3⤵
        • Executes dropped EXE
        PID:1976
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
          4⤵
          • Executes dropped EXE
          PID:4756
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
            5⤵
            • Executes dropped EXE
            PID:2448
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
              6⤵
              • Runs .reg file with regedit
              PID:676
      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        3⤵
        • Executes dropped EXE
        PID:5040
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
          4⤵
          • Executes dropped EXE
          PID:1560
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
            5⤵
              PID:1336
              • C:\Windows\regedit.exe
                "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
                6⤵
                • Runs .reg file with regedit
                PID:4624
        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
          PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
          3⤵
          • Executes dropped EXE
          PID:2104
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
            4⤵
              PID:1088
              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
                5⤵
                • Modifies data under HKEY_USERS
                PID:3440
                • C:\Windows\regedit.exe
                  "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
                  6⤵
                  • UAC bypass
                  • Hijack Execution Flow: Executable Installer File Permissions Weakness
                  • Runs .reg file with regedit
                  PID:2932
          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
            PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
            3⤵
              PID:3492
              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
                4⤵
                  PID:2612
                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
                    5⤵
                    • Modifies data under HKEY_USERS
                    PID:2552
                    • C:\Windows\regedit.exe
                      "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
                      6⤵
                      • Runs .reg file with regedit
                      PID:216
              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                3⤵
                  PID:1744
                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                    4⤵
                      PID:2348
                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                        5⤵
                        • Modifies data under HKEY_USERS
                        PID:2420
                        • C:\Windows\regedit.exe
                          "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                          6⤵
                          • Runs .reg file with regedit
                          PID:4348
                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                    PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                    3⤵
                      PID:4988
                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                        4⤵
                          PID:4760
                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                            5⤵
                              PID:1208
                              • C:\Windows\regedit.exe
                                "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                                6⤵
                                • Runs .reg file with regedit
                                PID:4976
                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                          PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                          3⤵
                            PID:4624
                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                              4⤵
                                PID:4528
                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                                  5⤵
                                    PID:1744
                                    • C:\Windows\regedit.exe
                                      "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                                      6⤵
                                      • Runs .reg file with regedit
                                      PID:2708
                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                                3⤵
                                  PID:64
                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                                    4⤵
                                      PID:1600
                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                                        5⤵
                                        • Modifies data under HKEY_USERS
                                        PID:4980
                                        • C:\Windows\regedit.exe
                                          "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                                          6⤵
                                          • Runs .reg file with regedit
                                          PID:4624
                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                    PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                    3⤵
                                      PID:2104
                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                        4⤵
                                          PID:2032
                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                            5⤵
                                              PID:4396
                                              • C:\Windows\regedit.exe
                                                "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                                6⤵
                                                • Modifies registry class
                                                • Runs .reg file with regedit
                                                PID:4588
                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                          PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                          3⤵
                                            PID:5028
                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                              4⤵
                                                PID:1280
                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                                  5⤵
                                                  • Modifies data under HKEY_USERS
                                                  PID:224
                                                  • C:\Windows\regedit.exe
                                                    "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                                    6⤵
                                                    • Modifies firewall policy service
                                                    • Runs .reg file with regedit
                                                    PID:404
                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                              3⤵
                                                PID:4452
                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                                  4⤵
                                                    PID:952
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                                      5⤵
                                                      • Modifies data under HKEY_USERS
                                                      PID:688
                                                      • C:\Windows\system32\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                                        6⤵
                                                          PID:864
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                    3⤵
                                                      PID:1708
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                        4⤵
                                                          PID:4220
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                            5⤵
                                                            • Modifies data under HKEY_USERS
                                                            PID:4740
                                                            • C:\Windows\system32\cmd.exe
                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                              6⤵
                                                                PID:216
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                          3⤵
                                                            PID:4852
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                              4⤵
                                                                PID:2676
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                                  5⤵
                                                                  • Modifies data under HKEY_USERS
                                                                  PID:696
                                                                  • C:\Windows\system32\cmd.exe
                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                                    6⤵
                                                                      PID:1172
                                                                      • C:\Windows\System32\Conhost.exe
                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        7⤵
                                                                          PID:4624
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                  3⤵
                                                                    PID:4284
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                      4⤵
                                                                        PID:1976
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                          5⤵
                                                                          • Modifies data under HKEY_USERS
                                                                          PID:1736
                                                                          • C:\Windows\system32\cmd.exe
                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                            6⤵
                                                                              PID:4972
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                        3⤵
                                                                          PID:4156
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                            4⤵
                                                                              PID:4844
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                                5⤵
                                                                                • Modifies data under HKEY_USERS
                                                                                PID:4756
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                                  6⤵
                                                                                    PID:4348
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                              3⤵
                                                                                PID:4360
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                                  4⤵
                                                                                    PID:2592
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                                      5⤵
                                                                                        PID:4796
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                                          6⤵
                                                                                            PID:1880
                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              7⤵
                                                                                                PID:1336
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                        3⤵
                                                                                          PID:2004
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                            4⤵
                                                                                              PID:4668
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                                5⤵
                                                                                                  PID:3588
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                                    6⤵
                                                                                                      PID:5104
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                                3⤵
                                                                                                  PID:720
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                                    4⤵
                                                                                                      PID:1160
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                                        5⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:2552
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                                          6⤵
                                                                                                            PID:4020
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                      3⤵
                                                                                                        PID:5036
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                          4⤵
                                                                                                            PID:2448
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                              5⤵
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:1172
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                                6⤵
                                                                                                                  PID:212
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    7⤵
                                                                                                                      PID:4284
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                              3⤵
                                                                                                                PID:4528
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                  4⤵
                                                                                                                    PID:4592
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                      5⤵
                                                                                                                        PID:4360
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                          6⤵
                                                                                                                            PID:3648
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                      3⤵
                                                                                                                        PID:3248
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                          4⤵
                                                                                                                            PID:2336
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                              5⤵
                                                                                                                                PID:860
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                                  6⤵
                                                                                                                                    PID:4976
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                              3⤵
                                                                                                                                PID:4680
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                                  4⤵
                                                                                                                                    PID:1708
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                                      5⤵
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      PID:3172
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                                        6⤵
                                                                                                                                          PID:5104
                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            7⤵
                                                                                                                                              PID:4972
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                      3⤵
                                                                                                                                        PID:676
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                          4⤵
                                                                                                                                            PID:3948
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                              5⤵
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:4740
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                                6⤵
                                                                                                                                                  PID:4420
                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    7⤵
                                                                                                                                                      PID:912
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                              3⤵
                                                                                                                                                PID:4540
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                                  4⤵
                                                                                                                                                    PID:216
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                                      5⤵
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      PID:696
                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                                        6⤵
                                                                                                                                                          PID:4344
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2412
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1396
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                                            5⤵
                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                            PID:4340
                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                                              6⤵
                                                                                                                                                                PID:3588
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                          3⤵
                                                                                                                                                            PID:1108
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                              4⤵
                                                                                                                                                                PID:4560
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:4592
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1064
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:4036
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:3080
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                          PID:4396
                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:2004
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:2732
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:2436
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:216
                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:3584
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:1208
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:1880
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:3460
                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                                            6⤵
                                                                                                                                                                                              PID:2352
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:3172
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:864
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                PID:4836
                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                    PID:4420
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:1900
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:5000
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                      PID:1968
                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                          PID:5036
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:2784
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:4568
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:4772
                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                      PID:5104
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:552
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:4796
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                      PID:3080
                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                          PID:4348
                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                              PID:2180
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:2688
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:920
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                              PID:2160
                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                  PID:2144
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                            PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:4740
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                  PID:3172
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                    PID:1964
                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                        PID:2112
                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                            PID:4772
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:4020
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                          PID:1132
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                            PID:3944
                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                PID:4796
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:4804
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                PID:4756
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                  PID:1280
                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                      PID:1348
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:1368
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                      PID:1556
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                        PID:2068
                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                            PID:4680
                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                PID:3436
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:5040
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:3588
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                PID:5044
                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                    PID:4368
                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                        PID:4796
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:2676
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                      PID:5004
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                        PID:2144
                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                            PID:5008
                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                PID:3956
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:5036
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                              PID:4576
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:3640
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                      PID:1368
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:812
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:2436
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:952
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:4416
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                              PID:3740
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                  PID:2752
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                      PID:4396
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:3960
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                      PID:1736
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                          PID:2032
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                              PID:4368
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                  PID:3588
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:3612
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:3780
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:1880
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                        PID:952
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:2216
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:3080
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                            PID:3888
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                PID:2348
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:2004
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                PID:4844
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                    PID:1132
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                        PID:4048
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:1108
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                        PID:3940
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                            PID:4420
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                PID:1976
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:3460
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:808
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1196
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                        PID:4904
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:4560
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:4348
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                            PID:3080
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                PID:3984
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:1488
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5116
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3524
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:2864
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:4876
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:4344
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1696
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:4452
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:4360
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3052
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1600
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3984
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1860
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:404
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:812
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3960
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:2816
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:1976
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:4388
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:3348
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1912
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                    PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4772
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3640
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:4680
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4540
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                            PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1196
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2612
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4560
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2144
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4852
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3948
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1072
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:468
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:920
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4760
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4404
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5008
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3804
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4136
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5004
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3088
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4772
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3620
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1548
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:468
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3608
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1064
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2032
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        timeout 10
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shutdown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        shutdown /r /f /t 0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "LogonUI.exe" /flags:0x4 /state0:0xa38ac055 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4364

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              def65711d78669d7f8e69313be4acf2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6522ebf1de09eeb981e270bd95114bc69a49cda6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bb7e9821c8dc8d4430e3db46335ff88f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5e7e314d5bb4663085139cf98dee612033250663

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5e194cd7f357bc48b5a45bcd0684509b0776508e6a9f504a9cda9916469f59bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              95921600ae3fe26c8e64bd6eaa9eb365b7b3aeaccb3eb25e4c5d2540bc778cb4dcf3a96ef472e62db01eb33b075608408c4435f747e409474149830d84695796

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\AppxProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              554KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a7927846f2bd5e6ab6159fbe762990b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8e3b40c0783cc88765bbc02ccc781960e4592f3f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\DismCorePS.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              183KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a033f16836d6f8acbe3b27b614b51453

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              716297072897aea3ec985640793d2cdcbf996cf9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\DismHost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              142KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e5d5e9c1f65b8ec7aa5b7f1b1acdd731

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\LogProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              77KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              815a4e7a7342224a239232f2c788d7c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              430b7526d864cfbd727b75738197230d148de21a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\OSProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              149KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              db4c3a07a1d3a45af53a4cf44ed550ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5dea737faadf0422c94f8f50e9588033d53d13b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismprov.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              255KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              490be3119ea17fa29329e77b7e416e80

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c71191c3415c98b7d9c9bbcf1005ce6a813221da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3f4x4i0p.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1524a28cbc30e70c60bc6cf977f82229

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              664f15cea146b654ec4a60c76071ff83c4dfa651

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3h0s6z0g.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9e7bb9c31083cc3a0f561d12311c9d83

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9102b88339566d5f0490c25180632043c8bb1809

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              873KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              fc1fb033d57f72089fb4762245a8b18d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\RemoveSecHealthApp.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e578450ec12ca326ee55a47f121defa3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5c9ac60207ce7bf80ca0cd075ec196deba41f2cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1ed85b1fd58eaf5b12f230e9f861efa5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e34470a63ae079199a420e04494ccd723ebccfc5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              577d9bbc801d8c6df2d0f0b1aff298f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4c42779c0061075629692ad18f15adc369d8ca79

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              99fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              dc3b2b1aad7850d42d5154f0e11a3121

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ec521e7934667f3b0c3000b88c020b47

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a1cab54cbe572995cd075a6723c0fff038551711

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bec3d75cd3a619595427f9a122adfd25

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              56827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              574B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3efc2ed4909f33432d597d950d9cf9eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              38603fe0665fbfa8c2a2c45fba11800433e6a8f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4193b815bedd1a921e38b6724ad2df63

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d371e4643149d0bd2cab2e8090fadab78398728e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d111b6ca48aae35dd3632e8500c7ff22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d812fcec4a3aba1e3f129912d122d5c7bf02d44a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              79927259642e2b0d0dc47e9faa2c15e30e07af62ade53f35291caab84eedde72

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              13027c715eec3bb92788071d2113efd30a0ac0ba2df3f003ad9ce15d65b2d34ff3500a263435f58ff440d1a5d92c17a4c2a89f1a1aef50d6e49295cc6582e160

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              579B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c4ab563b3e79a74d01d8468ecd635a58

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4972163b56f7cde494b7087e69f4a23a5b34a9a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f658b566041cc2b9b56ac864dc09fcb285d4f6cff3ca071976887627df3645a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5f7c034a4f286a3232d65a8a1f687bf8d4f7d0174f54848b4c7cbe8ae69a383adbd985f4c65a007fe88ca8ee85ba12826d08ea9bd89aa56b10253590a850f8c2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              605B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6a7ac93420d7960a4d7f2bbe805e9ff7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e228c0525def730eafb57044886b0c673900aa1c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              83f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Script_Run.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f5f2b8421012d9ce3dec75b23d6d3dac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              62bb1f88eb6207caa946eb101d8e5c5a2c56df7f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5jba5cp.sgj.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\autB12F.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              11KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4a83df1d945c2f5801ed59650d7460eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              31827890e1df99268c0f80dcb26774225e4c3a5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\autB130.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              09ca17eb552722bd7004097f59b07518

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              36cf9da188460542e58acb97fa0ef0bfd9a4e172

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\autB141.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              96c0e61f3298cb745b021f67e7dd0d48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a61adbe460c68a3087ff1ba75620dbb86af28e40

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Logs\DISM\dism.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b04906ec77a77ebdf04b27077ae690a6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              42a4c1efa93774e6327496fbc167b67bd1015478

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ded5df56838c1923a040943e6136a86e0713e0bf42669721a66cccc6f4341e03

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b144b56bfb93addef4794d9bd5d5cd5b5ca4717d792bc79ffeb6dcfb3fb024a6ca8cec53de54e2f3d1acc6a9bddf8387843000312fdba5fc7d5e5d1299a905e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Logs\DISM\dism.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              830b5933e8dd680cad7a039b1e02136a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3371f5de2143cef5e20f7793358798e16941e4ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              56f9183da541340d296223840edabd8251ea86c66c4947f4f7510ab6fc4eb5fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              478878657efc1e2d8cf0794c572ad1d7461843bff0384fbfa897ed715103fb814df5a36fe2d2c5fb64a02baf2bd40724873dbbb61cc60f027eae1f569ce867ef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-144-0x0000000007780000-0x0000000007823000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              652KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-167-0x0000000007EB0000-0x000000000852A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-143-0x00000000076B0000-0x00000000076CE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-132-0x0000000007670000-0x00000000076A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              200KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-194-0x0000000007890000-0x000000000789A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-232-0x0000000007A30000-0x0000000007A56000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-133-0x00000000704B0000-0x00000000704FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-130-0x0000000006A70000-0x0000000006ABC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-128-0x0000000005EA0000-0x00000000061F4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-963-0x0000000007B80000-0x0000000007BA6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-962-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1132-961-0x0000000007A10000-0x0000000007A26000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-86-0x0000000006160000-0x00000000061F6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              600KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-71-0x0000000004C20000-0x0000000004C42000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-85-0x0000000005C10000-0x0000000005C5C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-84-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-79-0x0000000005590000-0x00000000058E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-73-0x0000000005460000-0x00000000054C6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-72-0x00000000053F0000-0x0000000005456000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-87-0x00000000060E0000-0x00000000060FA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              104KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-70-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-88-0x0000000006130000-0x0000000006152000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-89-0x0000000007350000-0x00000000078F4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-92-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-68-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-69-0x0000000004CC0000-0x00000000052E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-67-0x00000000045C0000-0x00000000045F6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              216KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4972-66-0x000000007461E000-0x000000007461F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4KB