Analysis
-
max time kernel
26s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
DefenderRemover (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DefenderRemover (2).exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
DefenderRemover (2).exe
-
Size
823KB
-
MD5
879e3d30cc1392370ab0eec1601aa1b6
-
SHA1
c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
-
SHA256
704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
-
SHA512
71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
-
SSDEEP
12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe -
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System regedit.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security regedit.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" regedit.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" regedit.exe -
Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs
Disable Windows Driver Blocklist via Registry.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" regedit.exe -
Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" regedit.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
pid Process 3060 PowerRun.exe 2816 PowerRun.exe 3904 PowerRun.exe 3248 PowerRun.exe 1900 PowerRun.exe 3440 PowerRun.exe 1708 PowerRun.exe 4500 PowerRun.exe 388 PowerRun.exe 4892 PowerRun.exe 1744 PowerRun.exe 4156 PowerRun.exe 2384 dismhost.exe 5000 PowerRun.exe 920 PowerRun.exe 1836 PowerRun.exe 1608 PowerRun.exe 4560 PowerRun.exe 3088 PowerRun.exe 4796 PowerRun.exe 5004 PowerRun.exe 3440 PowerRun.exe 4972 PowerRun.exe 4840 PowerRun.exe 4020 PowerRun.exe 4624 PowerRun.exe 1368 PowerRun.exe 4484 PowerRun.exe 1976 PowerRun.exe 4976 PowerRun.exe 3264 PowerRun.exe 5004 PowerRun.exe 3984 PowerRun.exe 4020 PowerRun.exe 4136 PowerRun.exe 1108 PowerRun.exe 4740 PowerRun.exe 2436 PowerRun.exe 1348 PowerRun.exe 388 PowerRun.exe 3492 PowerRun.exe 2448 PowerRun.exe 228 PowerRun.exe 1108 PowerRun.exe 3740 PowerRun.exe 4972 PowerRun.exe 2420 PowerRun.exe 812 PowerRun.exe 3780 PowerRun.exe 1900 PowerRun.exe 3548 PowerRun.exe 1560 PowerRun.exe 4740 PowerRun.exe 212 PowerRun.exe 4520 PowerRun.exe 2180 PowerRun.exe 4796 PowerRun.exe 1976 PowerRun.exe 2356 PowerRun.exe 4756 PowerRun.exe 5040 PowerRun.exe 1560 PowerRun.exe 2448 PowerRun.exe 2104 PowerRun.exe -
Loads dropped DLL 5 IoCs
pid Process 2384 dismhost.exe 2384 dismhost.exe 2384 dismhost.exe 2384 dismhost.exe 2384 dismhost.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" regedit.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
pid Process 4972 powershell.exe 1132 powershell.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DefenderRemover (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1736 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0" regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1" regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride = "0" regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenEnabled regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe -
Modifies registry class 25 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\DefaultIcon regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open\command regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Application regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-cxh regedit.exe -
Runs .reg file with regedit 42 IoCs
pid Process 2272 regedit.exe 2144 regedit.exe 3436 regedit.exe 3052 regedit.exe 2112 regedit.exe 1912 regedit.exe 1900 regedit.exe 3956 regedit.exe 2032 regedit.exe 4560 regedit.exe 2708 regedit.exe 2356 regedit.exe 2936 regedit.exe 3024 regedit.exe 216 regedit.exe 4348 regedit.exe 4624 regedit.exe 404 regedit.exe 920 regedit.exe 212 regedit.exe 1704 regedit.exe 4800 regedit.exe 1912 regedit.exe 1196 regedit.exe 4772 regedit.exe 2412 regedit.exe 676 regedit.exe 4624 regedit.exe 3164 regedit.exe 2056 regedit.exe 3060 regedit.exe 912 regedit.exe 4588 regedit.exe 4976 regedit.exe 604 regedit.exe 1452 regedit.exe 2180 regedit.exe 4576 regedit.exe 1336 regedit.exe 4156 regedit.exe 2932 regedit.exe 2732 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4972 powershell.exe 4972 powershell.exe 1132 powershell.exe 1132 powershell.exe 1132 powershell.exe 3060 PowerRun.exe 3060 PowerRun.exe 3060 PowerRun.exe 3060 PowerRun.exe 2816 PowerRun.exe 2816 PowerRun.exe 2816 PowerRun.exe 2816 PowerRun.exe 3904 PowerRun.exe 3904 PowerRun.exe 3904 PowerRun.exe 3904 PowerRun.exe 1900 PowerRun.exe 1900 PowerRun.exe 1900 PowerRun.exe 1900 PowerRun.exe 3440 PowerRun.exe 3440 PowerRun.exe 3440 PowerRun.exe 3440 PowerRun.exe 4500 PowerRun.exe 4500 PowerRun.exe 4500 PowerRun.exe 4500 PowerRun.exe 388 PowerRun.exe 388 PowerRun.exe 388 PowerRun.exe 388 PowerRun.exe 1744 PowerRun.exe 1744 PowerRun.exe 1744 PowerRun.exe 1744 PowerRun.exe 4156 PowerRun.exe 4156 PowerRun.exe 4156 PowerRun.exe 4156 PowerRun.exe 920 PowerRun.exe 920 PowerRun.exe 1836 PowerRun.exe 1836 PowerRun.exe 920 PowerRun.exe 920 PowerRun.exe 1836 PowerRun.exe 1836 PowerRun.exe 4560 PowerRun.exe 4560 PowerRun.exe 4560 PowerRun.exe 4560 PowerRun.exe 3088 PowerRun.exe 3088 PowerRun.exe 3088 PowerRun.exe 3088 PowerRun.exe 5004 PowerRun.exe 5004 PowerRun.exe 5004 PowerRun.exe 5004 PowerRun.exe 3440 PowerRun.exe 3440 PowerRun.exe 3440 PowerRun.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4972 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 3060 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 3060 PowerRun.exe Token: SeIncreaseQuotaPrivilege 3060 PowerRun.exe Token: 0 3060 PowerRun.exe Token: SeDebugPrivilege 2816 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2816 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2816 PowerRun.exe Token: SeDebugPrivilege 3904 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 3904 PowerRun.exe Token: SeIncreaseQuotaPrivilege 3904 PowerRun.exe Token: 0 3904 PowerRun.exe Token: SeDebugPrivilege 1900 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1900 PowerRun.exe Token: SeIncreaseQuotaPrivilege 1900 PowerRun.exe Token: SeDebugPrivilege 3440 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 3440 PowerRun.exe Token: SeIncreaseQuotaPrivilege 3440 PowerRun.exe Token: 0 3440 PowerRun.exe Token: SeDebugPrivilege 4500 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 4500 PowerRun.exe Token: SeIncreaseQuotaPrivilege 4500 PowerRun.exe Token: SeDebugPrivilege 388 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 388 PowerRun.exe Token: SeIncreaseQuotaPrivilege 388 PowerRun.exe Token: 0 388 PowerRun.exe Token: SeDebugPrivilege 1744 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1744 PowerRun.exe Token: SeIncreaseQuotaPrivilege 1744 PowerRun.exe Token: SeDebugPrivilege 4156 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 4156 PowerRun.exe Token: SeIncreaseQuotaPrivilege 4156 PowerRun.exe Token: 0 4156 PowerRun.exe Token: SeDebugPrivilege 1836 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1836 PowerRun.exe Token: SeDebugPrivilege 920 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 920 PowerRun.exe Token: SeIncreaseQuotaPrivilege 920 PowerRun.exe Token: SeIncreaseQuotaPrivilege 1836 PowerRun.exe Token: 0 1836 PowerRun.exe Token: SeDebugPrivilege 4560 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 4560 PowerRun.exe Token: SeIncreaseQuotaPrivilege 4560 PowerRun.exe Token: SeDebugPrivilege 3088 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 3088 PowerRun.exe Token: SeIncreaseQuotaPrivilege 3088 PowerRun.exe Token: 0 3088 PowerRun.exe Token: SeDebugPrivilege 5004 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 5004 PowerRun.exe Token: SeIncreaseQuotaPrivilege 5004 PowerRun.exe Token: SeDebugPrivilege 3440 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 3440 PowerRun.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 3440 PowerRun.exe Token: 0 3440 PowerRun.exe Token: SeDebugPrivilege 4840 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 4840 PowerRun.exe Token: SeIncreaseQuotaPrivilege 4840 PowerRun.exe Token: SeDebugPrivilege 4020 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 4020 PowerRun.exe Token: SeIncreaseQuotaPrivilege 4020 PowerRun.exe Token: 0 4020 PowerRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 760 1896 DefenderRemover (2).exe 84 PID 1896 wrote to memory of 760 1896 DefenderRemover (2).exe 84 PID 1896 wrote to memory of 760 1896 DefenderRemover (2).exe 84 PID 760 wrote to memory of 3164 760 cmd.exe 86 PID 760 wrote to memory of 3164 760 cmd.exe 86 PID 760 wrote to memory of 3164 760 cmd.exe 86 PID 760 wrote to memory of 4972 760 cmd.exe 96 PID 760 wrote to memory of 4972 760 cmd.exe 96 PID 760 wrote to memory of 4972 760 cmd.exe 96 PID 4972 wrote to memory of 1132 4972 powershell.exe 97 PID 4972 wrote to memory of 1132 4972 powershell.exe 97 PID 4972 wrote to memory of 1132 4972 powershell.exe 97 PID 760 wrote to memory of 3060 760 cmd.exe 99 PID 760 wrote to memory of 3060 760 cmd.exe 99 PID 760 wrote to memory of 3904 760 cmd.exe 104 PID 760 wrote to memory of 3904 760 cmd.exe 104 PID 760 wrote to memory of 3440 760 cmd.exe 128 PID 760 wrote to memory of 3440 760 cmd.exe 128 PID 3248 wrote to memory of 920 3248 PowerRun.exe 119 PID 3248 wrote to memory of 920 3248 PowerRun.exe 119 PID 760 wrote to memory of 388 760 cmd.exe 156 PID 760 wrote to memory of 388 760 cmd.exe 156 PID 1708 wrote to memory of 2356 1708 PowerRun.exe 112 PID 1708 wrote to memory of 2356 1708 PowerRun.exe 112 PID 760 wrote to memory of 4156 760 cmd.exe 178 PID 760 wrote to memory of 4156 760 cmd.exe 178 PID 1132 wrote to memory of 2384 1132 powershell.exe 116 PID 1132 wrote to memory of 2384 1132 powershell.exe 116 PID 4892 wrote to memory of 1900 4892 PowerRun.exe 179 PID 4892 wrote to memory of 1900 4892 PowerRun.exe 179 PID 760 wrote to memory of 1836 760 cmd.exe 120 PID 760 wrote to memory of 1836 760 cmd.exe 120 PID 5000 wrote to memory of 2732 5000 PowerRun.exe 122 PID 5000 wrote to memory of 2732 5000 PowerRun.exe 122 PID 760 wrote to memory of 3088 760 cmd.exe 124 PID 760 wrote to memory of 3088 760 cmd.exe 124 PID 1608 wrote to memory of 3164 1608 PowerRun.exe 125 PID 1608 wrote to memory of 3164 1608 PowerRun.exe 125 PID 760 wrote to memory of 3440 760 cmd.exe 203 PID 760 wrote to memory of 3440 760 cmd.exe 203 PID 4796 wrote to memory of 4800 4796 PowerRun.exe 130 PID 4796 wrote to memory of 4800 4796 PowerRun.exe 130 PID 760 wrote to memory of 4020 760 cmd.exe 144 PID 760 wrote to memory of 4020 760 cmd.exe 144 PID 4972 wrote to memory of 1912 4972 PowerRun.exe 186 PID 4972 wrote to memory of 1912 4972 PowerRun.exe 186 PID 760 wrote to memory of 4484 760 cmd.exe 136 PID 760 wrote to memory of 4484 760 cmd.exe 136 PID 4624 wrote to memory of 2272 4624 PowerRun.exe 137 PID 4624 wrote to memory of 2272 4624 PowerRun.exe 137 PID 760 wrote to memory of 3264 760 cmd.exe 140 PID 760 wrote to memory of 3264 760 cmd.exe 140 PID 4976 wrote to memory of 2056 4976 PowerRun.exe 141 PID 4976 wrote to memory of 2056 4976 PowerRun.exe 141 PID 760 wrote to memory of 4020 760 cmd.exe 273 PID 760 wrote to memory of 4020 760 cmd.exe 273 PID 5004 wrote to memory of 604 5004 PowerRun.exe 145 PID 5004 wrote to memory of 604 5004 PowerRun.exe 145 PID 760 wrote to memory of 4740 760 cmd.exe 293 PID 760 wrote to memory of 4740 760 cmd.exe 293 PID 1108 wrote to memory of 1196 1108 PowerRun.exe 149 PID 1108 wrote to memory of 1196 1108 PowerRun.exe 149 PID 760 wrote to memory of 2144 760 cmd.exe 353 PID 760 wrote to memory of 2144 760 cmd.exe 353
Processes
-
C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\Script_Run.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\choice.exechoice /C:yas /N3⤵
- System Location Discovery: System Language Discovery
PID:3164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exeC:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe {D5D30325-AA08-49F3-913E-DC1E86598E65}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"6⤵
- Modifies Windows Defender Real-time Protection settings
- Runs .reg file with regedit
PID:920
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"6⤵
- Windows security bypass
- Runs .reg file with regedit
PID:2356
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"6⤵
- Modifies Windows Defender Real-time Protection settings
- Runs .reg file with regedit
PID:1900
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"6⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:2732
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"6⤵
- Runs .reg file with regedit
PID:3164
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"6⤵
- Runs .reg file with regedit
PID:4800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"6⤵
- Runs .reg file with regedit
PID:1912
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"6⤵
- Modifies security service
- Runs .reg file with regedit
PID:2272
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"4⤵
- Executes dropped EXE
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"6⤵
- Modifies firewall policy service
- Modifies registry class
- Runs .reg file with regedit
PID:2056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"3⤵
- Executes dropped EXE
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"4⤵
- Executes dropped EXE
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"6⤵
- Runs .reg file with regedit
PID:604
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"3⤵
- Executes dropped EXE
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"4⤵
- Executes dropped EXE
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"6⤵
- Runs .reg file with regedit
PID:1196
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"3⤵
- Executes dropped EXE
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"4⤵
- Executes dropped EXE
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2436 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"6⤵
- Modifies registry class
- Runs .reg file with regedit
PID:212
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"3⤵
- Executes dropped EXE
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"4⤵
- Executes dropped EXE
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:388 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"6⤵
- Runs .reg file with regedit
PID:2180
-
-
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"3⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2144
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"3⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1452
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"3⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4772
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3060
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2936
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3436
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4576
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3956
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry class
- Runs .reg file with regedit
PID:1336
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3052
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3024
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2412
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"3⤵
- Executes dropped EXE
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"4⤵
- Executes dropped EXE
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1108 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"6⤵
- Runs .reg file with regedit
PID:1704
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"3⤵
- Executes dropped EXE
PID:228 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"4⤵
- Executes dropped EXE
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2420 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"6⤵
- Boot or Logon Autostart Execution: LSASS Driver
- Runs .reg file with regedit
PID:4156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"3⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"4⤵
- Executes dropped EXE
PID:812 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1900 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"6⤵
- Runs .reg file with regedit
PID:2032
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"3⤵
- Executes dropped EXE
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"4⤵
- Executes dropped EXE
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4740 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"6⤵
- Modify Registry: Disable Windows Driver Blocklist
- Runs .reg file with regedit
PID:1912
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"3⤵
- Executes dropped EXE
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"4⤵
- Executes dropped EXE
PID:212 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2180 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"6⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:4560
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"3⤵
- Executes dropped EXE
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"4⤵
- Executes dropped EXE
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2356 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"6⤵
- Runs .reg file with regedit
PID:912
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"3⤵
- Executes dropped EXE
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"4⤵
- Executes dropped EXE
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"5⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"6⤵
- Runs .reg file with regedit
PID:676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"3⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"4⤵
- Executes dropped EXE
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"5⤵PID:1336
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"6⤵
- Runs .reg file with regedit
PID:4624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"3⤵
- Executes dropped EXE
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"4⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"5⤵
- Modifies data under HKEY_USERS
PID:3440 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"6⤵
- UAC bypass
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Runs .reg file with regedit
PID:2932
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"3⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"4⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"5⤵
- Modifies data under HKEY_USERS
PID:2552 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"6⤵
- Runs .reg file with regedit
PID:216
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"4⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"5⤵
- Modifies data under HKEY_USERS
PID:2420 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"6⤵
- Runs .reg file with regedit
PID:4348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"3⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"4⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"5⤵PID:1208
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"6⤵
- Runs .reg file with regedit
PID:4976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"3⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"4⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"5⤵PID:1744
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"6⤵
- Runs .reg file with regedit
PID:2708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"3⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"4⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"5⤵
- Modifies data under HKEY_USERS
PID:4980 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"6⤵
- Runs .reg file with regedit
PID:4624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"3⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"4⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"5⤵PID:4396
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"6⤵
- Modifies registry class
- Runs .reg file with regedit
PID:4588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"3⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"4⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"5⤵
- Modifies data under HKEY_USERS
PID:224 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"6⤵
- Modifies firewall policy service
- Runs .reg file with regedit
PID:404
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""3⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""4⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""5⤵
- Modifies data under HKEY_USERS
PID:688 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""6⤵PID:864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""3⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""4⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""5⤵
- Modifies data under HKEY_USERS
PID:4740 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""6⤵PID:216
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""3⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""4⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""5⤵
- Modifies data under HKEY_USERS
PID:696 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""6⤵PID:1172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4624
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""3⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""4⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""5⤵
- Modifies data under HKEY_USERS
PID:1736 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""6⤵PID:4972
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""3⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""4⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""5⤵
- Modifies data under HKEY_USERS
PID:4756 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""6⤵PID:4348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""3⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""4⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""5⤵PID:4796
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""6⤵PID:1880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1336
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""3⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""4⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""5⤵PID:3588
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""6⤵PID:5104
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""3⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""4⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""5⤵
- Modifies data under HKEY_USERS
PID:2552 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""6⤵PID:4020
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""3⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""4⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""5⤵
- Modifies data under HKEY_USERS
PID:1172 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""6⤵PID:212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4284
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""3⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""4⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""5⤵PID:4360
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""6⤵PID:3648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""3⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""4⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""5⤵PID:860
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""6⤵PID:4976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""3⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""4⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""5⤵
- Modifies data under HKEY_USERS
PID:3172 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""6⤵PID:5104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4972
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""3⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""4⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""5⤵
- Modifies data under HKEY_USERS
PID:4740 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""6⤵PID:4420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:912
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""3⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""4⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""5⤵
- Modifies data under HKEY_USERS
PID:696 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""6⤵PID:4344
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""3⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""4⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""5⤵
- Modifies data under HKEY_USERS
PID:4340 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""6⤵PID:3588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""3⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""4⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""5⤵PID:4592
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""6⤵PID:1064
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""3⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""4⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""5⤵
- Modifies data under HKEY_USERS
PID:4396 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""6⤵PID:2004
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""3⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""4⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""5⤵PID:216
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""6⤵PID:3584
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""3⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""4⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""5⤵PID:3460
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""6⤵PID:2352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""3⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""4⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""5⤵
- Modifies data under HKEY_USERS
PID:4836 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""6⤵PID:4420
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""3⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""4⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""5⤵
- Modifies data under HKEY_USERS
PID:1968 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""6⤵PID:5036
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""3⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""4⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""5⤵PID:2056
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""6⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5104
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""3⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""4⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""5⤵
- Modifies data under HKEY_USERS
PID:3080 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""6⤵PID:4348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2180
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""3⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""4⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""5⤵
- Modifies data under HKEY_USERS
PID:2160 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""6⤵PID:2144
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""3⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""4⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""5⤵
- Modifies data under HKEY_USERS
PID:1964 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""6⤵PID:2112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4772
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""3⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""4⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""5⤵
- Modifies data under HKEY_USERS
PID:3944 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""6⤵PID:4796
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""3⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""4⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""5⤵
- Modifies data under HKEY_USERS
PID:1280 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""6⤵PID:1348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""3⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""4⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""5⤵
- Modifies data under HKEY_USERS
PID:2068 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""6⤵PID:4680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3436
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""3⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""4⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""5⤵
- Modifies data under HKEY_USERS
PID:5044 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""6⤵PID:4368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4796
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""3⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""4⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""5⤵
- Modifies data under HKEY_USERS
PID:2144 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""6⤵PID:5008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3956
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""3⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""4⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""5⤵PID:3640
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""6⤵PID:1368
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""3⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""4⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""5⤵PID:952
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""6⤵PID:2056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""3⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""4⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""5⤵PID:2752
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""6⤵PID:4396
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""3⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""4⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""5⤵PID:2032
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""6⤵PID:4368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3588
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""3⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""4⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""5⤵PID:1880
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""6⤵PID:952
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q3⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q4⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q5⤵PID:3888
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q6⤵PID:2348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q3⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q4⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q5⤵PID:1132
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q6⤵PID:4048
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q3⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q4⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q5⤵PID:4420
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q6⤵PID:1976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q3⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q4⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q5⤵PID:1196
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q6⤵PID:4904
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q3⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q4⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q5⤵PID:3080
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q6⤵PID:3984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q3⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q4⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q5⤵PID:3524
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q6⤵PID:2864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q3⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q4⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q5⤵PID:1696
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q6⤵PID:4452
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q3⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q4⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q5⤵PID:1600
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q6⤵PID:3984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q3⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q4⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q5⤵PID:812
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q6⤵PID:3960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q3⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q4⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q5⤵PID:4388
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q6⤵PID:3348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1912
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q3⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q4⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q5⤵PID:4680
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q6⤵PID:4540
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q3⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q4⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q5⤵PID:4560
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q6⤵PID:2144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4852
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q3⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q4⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q5⤵PID:2164
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q6⤵PID:468
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q3⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q4⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q5⤵PID:4404
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q6⤵PID:5008
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q3⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q4⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q5⤵PID:5004
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q6⤵PID:3088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q3⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q4⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q5⤵PID:1548
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q6⤵PID:468
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q3⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q4⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q5⤵PID:3944
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q6⤵PID:2032
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q3⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q4⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q5⤵PID:3940
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q6⤵PID:4592
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q3⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q4⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q5⤵PID:812
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q6⤵PID:468
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q3⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q4⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q5⤵PID:3620
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q6⤵PID:1496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3584
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q3⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q4⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q5⤵PID:3504
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q6⤵PID:2092
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q3⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q4⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q5⤵PID:4156
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q6⤵PID:1172
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q3⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q4⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q5⤵PID:3944
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q6⤵PID:2576
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q3⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q4⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q5⤵PID:676
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q6⤵PID:4520
-
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:1736
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /f /t 03⤵PID:212
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38ac055 /state1:0x41c64e6d1⤵PID:4364
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1LSASS Driver
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1LSASS Driver
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
15KB
MD5bb7e9821c8dc8d4430e3db46335ff88f
SHA15e7e314d5bb4663085139cf98dee612033250663
SHA2565e194cd7f357bc48b5a45bcd0684509b0776508e6a9f504a9cda9916469f59bf
SHA51295921600ae3fe26c8e64bd6eaa9eb365b7b3aeaccb3eb25e4c5d2540bc778cb4dcf3a96ef472e62db01eb33b075608408c4435f747e409474149830d84695796
-
Filesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
Filesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
Filesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
Filesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
Filesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
Filesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
Filesize
28KB
MD51524a28cbc30e70c60bc6cf977f82229
SHA1664f15cea146b654ec4a60c76071ff83c4dfa651
SHA2568561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b
SHA5127fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50
-
Filesize
28KB
MD59e7bb9c31083cc3a0f561d12311c9d83
SHA19102b88339566d5f0490c25180632043c8bb1809
SHA2562658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1
SHA5121fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699
-
Filesize
873KB
MD5fc1fb033d57f72089fb4762245a8b18d
SHA17ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e
SHA256a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2
SHA512cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0
-
Filesize
1KB
MD5e578450ec12ca326ee55a47f121defa3
SHA15c9ac60207ce7bf80ca0cd075ec196deba41f2cc
SHA256b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32
SHA5121d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b
-
Filesize
1KB
MD51ed85b1fd58eaf5b12f230e9f861efa5
SHA1e34470a63ae079199a420e04494ccd723ebccfc5
SHA256bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f
SHA5123c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594
-
Filesize
8KB
MD5577d9bbc801d8c6df2d0f0b1aff298f4
SHA14c42779c0061075629692ad18f15adc369d8ca79
SHA25699fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409
SHA5123bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e
-
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg
Filesize1KB
MD5dc3b2b1aad7850d42d5154f0e11a3121
SHA1f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe
SHA256c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3
SHA512f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa
-
Filesize
1KB
MD5ec521e7934667f3b0c3000b88c020b47
SHA1a1cab54cbe572995cd075a6723c0fff038551711
SHA2564aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04
SHA512c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f
-
Filesize
4KB
MD5bec3d75cd3a619595427f9a122adfd25
SHA11003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e
SHA256de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c
SHA51256827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49
-
Filesize
574B
MD53efc2ed4909f33432d597d950d9cf9eb
SHA138603fe0665fbfa8c2a2c45fba11800433e6a8f4
SHA2568143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c
SHA512743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee
-
Filesize
1KB
MD54193b815bedd1a921e38b6724ad2df63
SHA1d371e4643149d0bd2cab2e8090fadab78398728e
SHA256f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f
SHA512cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8
-
Filesize
1KB
MD5d111b6ca48aae35dd3632e8500c7ff22
SHA1d812fcec4a3aba1e3f129912d122d5c7bf02d44a
SHA25679927259642e2b0d0dc47e9faa2c15e30e07af62ade53f35291caab84eedde72
SHA51213027c715eec3bb92788071d2113efd30a0ac0ba2df3f003ad9ce15d65b2d34ff3500a263435f58ff440d1a5d92c17a4c2a89f1a1aef50d6e49295cc6582e160
-
Filesize
579B
MD5c4ab563b3e79a74d01d8468ecd635a58
SHA14972163b56f7cde494b7087e69f4a23a5b34a9a4
SHA256f658b566041cc2b9b56ac864dc09fcb285d4f6cff3ca071976887627df3645a4
SHA5125f7c034a4f286a3232d65a8a1f687bf8d4f7d0174f54848b4c7cbe8ae69a383adbd985f4c65a007fe88ca8ee85ba12826d08ea9bd89aa56b10253590a850f8c2
-
Filesize
605B
MD56a7ac93420d7960a4d7f2bbe805e9ff7
SHA1e228c0525def730eafb57044886b0c673900aa1c
SHA25683f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb
SHA512ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac
-
Filesize
9KB
MD5f5f2b8421012d9ce3dec75b23d6d3dac
SHA162bb1f88eb6207caa946eb101d8e5c5a2c56df7f
SHA256ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2
SHA512d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD54a83df1d945c2f5801ed59650d7460eb
SHA131827890e1df99268c0f80dcb26774225e4c3a5d
SHA2562d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8
SHA512eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2
-
Filesize
10KB
MD509ca17eb552722bd7004097f59b07518
SHA136cf9da188460542e58acb97fa0ef0bfd9a4e172
SHA256365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b
SHA5123dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf
-
Filesize
5KB
MD596c0e61f3298cb745b021f67e7dd0d48
SHA1a61adbe460c68a3087ff1ba75620dbb86af28e40
SHA2563e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333
SHA512dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e
-
Filesize
2.1MB
MD5b04906ec77a77ebdf04b27077ae690a6
SHA142a4c1efa93774e6327496fbc167b67bd1015478
SHA256ded5df56838c1923a040943e6136a86e0713e0bf42669721a66cccc6f4341e03
SHA512b144b56bfb93addef4794d9bd5d5cd5b5ca4717d792bc79ffeb6dcfb3fb024a6ca8cec53de54e2f3d1acc6a9bddf8387843000312fdba5fc7d5e5d1299a905e9
-
Filesize
2.1MB
MD5830b5933e8dd680cad7a039b1e02136a
SHA13371f5de2143cef5e20f7793358798e16941e4ee
SHA25656f9183da541340d296223840edabd8251ea86c66c4947f4f7510ab6fc4eb5fc
SHA512478878657efc1e2d8cf0794c572ad1d7461843bff0384fbfa897ed715103fb814df5a36fe2d2c5fb64a02baf2bd40724873dbbb61cc60f027eae1f569ce867ef