Malware Analysis Report

2025-06-16 00:52

Sample ID 241105-ttyxjaxjeq
Target DefenderRemover (2).exe
SHA256 704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
Tags
credential_access defense_evasion discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

Threat Level: Known bad

The file DefenderRemover (2).exe was found to be: Known bad.

Malicious Activity Summary

credential_access defense_evasion discovery evasion execution persistence privilege_escalation trojan

Modifies Windows Defender Real-time Protection settings

UAC bypass

Modifies firewall policy service

Windows security bypass

Modifies security service

Modify Registry: Disable Windows Driver Blocklist

Loads dropped DLL

Boot or Logon Autostart Execution: LSASS Driver

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Hijack Execution Flow: Executable Installer File Permissions Weakness

Indicator Removal: File Deletion

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs .reg file with regedit

Modifies registry class

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-05 16:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 16:21

Reported

2024-11-05 16:23

Platform

win7-20240903-en

Max time kernel

69s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\regedit.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\SysWOW64\regedit.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security C:\Windows\regedit.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\regedit.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions C:\Windows\regedit.exe N/A

Modify Registry: Disable Windows Driver Blocklist

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" C:\Windows\regedit.exe N/A

Boot or Logon Autostart Execution: LSASS Driver

persistence credential_access
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" C:\Windows\regedit.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Windows\regedit.exe N/A

Indicator Removal: File Deletion

defense_evasion

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Security Health\State C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Edge\SmartScreenEnabled\ = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Security Health C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "1" C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\Version C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\Elevation C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder C:\Windows\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 584 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 584 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 584 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 2860 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2192 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2192 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 572 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 572 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 572 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 2860 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 2860 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 2860 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 2860 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1568 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 1568 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PID 1568 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe

"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c .\Script_Run.bat

C:\Windows\SysWOW64\choice.exe

choice /C:yas /N

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241105162241.log C:\Windows\Logs\CBS\CbsPersist_20241105162241.cab

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "194223660453074852-526454910-106110664419880930472794987571902071312274225688"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "708259886-584406424-129302424-1780450336-462256511-960555870340997988782528271"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5642803151429806403-3547610521022714023921698885-1479706827-1101874266939449979"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1411542842-16744639511034349091858210301-22643756415321081601715263801870295164"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1012233847-314622622114799820-1814215941054314816-413591086807587091516618140"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1585183951-1351622258-170208819319837239701613685686-21404418071652166745-1438334162"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "66668048911085512351867348045-115626097315197658121413841540-393038747-1838518168"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-994438425130759331116691293671786760435-14586724227651154781655446695-1278724749"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9151360531910444911-2634892701987257915-89504012210106233391944291150964268701"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-70868699911250104141378527283-961858413111870610-68263274691228917-449064307"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-117842091115242740721757520273-527437495-141413450-14693757801383664598802988770"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "355254960683047442-42918919114915667611199798-280480174-137899975-444766769"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\SysWOW64\timeout.exe

timeout 10

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Script_Run.bat

MD5 f5f2b8421012d9ce3dec75b23d6d3dac
SHA1 62bb1f88eb6207caa946eb101d8e5c5a2c56df7f
SHA256 ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2
SHA512 d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

MD5 fc1fb033d57f72089fb4762245a8b18d
SHA1 7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e
SHA256 a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2
SHA512 cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d35d0dc0152caf5ed54ce32708486ea7
SHA1 ce38c6979611e5c2440dc0024422e1007a7ccf51
SHA256 fefeec2a8b73523f3cc5cc7bd92191fae6528abd1a0b06b88e2084e4d4db4b69
SHA512 eb25092cda6994466c862b265ae890ddb0e53409d972f788584d8412336646952eddcaf633b6c75385d43a622d9093801a6f6a31c649570a8aa3c801eb259a23

C:\Users\Admin\AppData\Local\Temp\2i3f0m8z.tmp

MD5 9e7bb9c31083cc3a0f561d12311c9d83
SHA1 9102b88339566d5f0490c25180632043c8bb1809
SHA256 2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1
SHA512 1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\RemoveSecHealthApp.ps1

MD5 e578450ec12ca326ee55a47f121defa3
SHA1 5c9ac60207ce7bf80ca0cd075ec196deba41f2cc
SHA256 b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32
SHA512 1d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b

C:\Users\Admin\AppData\Local\Temp\autBCF9.tmp

MD5 4a83df1d945c2f5801ed59650d7460eb
SHA1 31827890e1df99268c0f80dcb26774225e4c3a5d
SHA256 2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8
SHA512 eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

C:\Users\Admin\AppData\Local\Temp\autBD57.tmp

MD5 09ca17eb552722bd7004097f59b07518
SHA1 36cf9da188460542e58acb97fa0ef0bfd9a4e172
SHA256 365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b
SHA512 3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

C:\Users\Admin\AppData\Local\Temp\autBD58.tmp

MD5 96c0e61f3298cb745b021f67e7dd0d48
SHA1 a61adbe460c68a3087ff1ba75620dbb86af28e40
SHA256 3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333
SHA512 dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg

MD5 dc3b2b1aad7850d42d5154f0e11a3121
SHA1 f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe
SHA256 c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3
SHA512 f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg

MD5 1ed85b1fd58eaf5b12f230e9f861efa5
SHA1 e34470a63ae079199a420e04494ccd723ebccfc5
SHA256 bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f
SHA512 3c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg

MD5 577d9bbc801d8c6df2d0f0b1aff298f4
SHA1 4c42779c0061075629692ad18f15adc369d8ca79
SHA256 99fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409
SHA512 3bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg

MD5 ec521e7934667f3b0c3000b88c020b47
SHA1 a1cab54cbe572995cd075a6723c0fff038551711
SHA256 4aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04
SHA512 c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg

MD5 bec3d75cd3a619595427f9a122adfd25
SHA1 1003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e
SHA256 de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c
SHA512 56827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg

MD5 3efc2ed4909f33432d597d950d9cf9eb
SHA1 38603fe0665fbfa8c2a2c45fba11800433e6a8f4
SHA256 8143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c
SHA512 743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg

MD5 6a7ac93420d7960a4d7f2bbe805e9ff7
SHA1 e228c0525def730eafb57044886b0c673900aa1c
SHA256 83f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb
SHA512 ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg

MD5 4193b815bedd1a921e38b6724ad2df63
SHA1 d371e4643149d0bd2cab2e8090fadab78398728e
SHA256 f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f
SHA512 cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8

C:\Users\Admin\AppData\Local\Temp\1w4c8l4p.tmp

MD5 db2eb3078f924bc0049ae6e98653f2b0
SHA1 fc058c55c2b670dea826418aebc602ad737f6285
SHA256 f37b5230deb0e25cd3721e8b6653036b26dde8c7d567e4639458192daacef9f7
SHA512 dca8ec245c856def9ff56536537b91456c967966939e94b602c085282ebbe5c95e12bb9f48772d3dbd43087ce3317debdc87bf635f3972b048ea4ec811d1b50a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 16:21

Reported

2024-11-05 16:22

Platform

win10v2004-20241007-en

Max time kernel

26s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" C:\Windows\regedit.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System C:\Windows\regedit.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security C:\Windows\regedit.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" C:\Windows\regedit.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A

Modify Registry: Disable Windows Driver Blocklist

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" C:\Windows\regedit.exe N/A

Boot or Logon Autostart Execution: LSASS Driver

persistence credential_access
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" C:\Windows\regedit.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Windows\regedit.exe N/A

Indicator Removal: File Deletion

defense_evasion

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenEnabled C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\DefaultIcon C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open\command C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Application C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0 C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-cxh C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 760 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 760 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 760 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 3248 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 3248 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 1708 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 1708 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\regedit.exe
PID 1132 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe
PID 1132 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe
PID 4892 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 4892 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 5000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 5000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 1608 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 1608 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 4796 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 4796 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 4972 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 4972 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 4624 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 4624 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 4976 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 4976 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 5004 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 760 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PID 1108 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 1108 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe C:\Windows\regedit.exe
PID 760 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe

"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c .\Script_Run.bat

C:\Windows\SysWOW64\choice.exe

choice /C:yas /N

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe {D5D30325-AA08-49F3-913E-DC1E86598E65}

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Windows\SysWOW64\timeout.exe

timeout 10

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38ac055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Script_Run.bat

MD5 f5f2b8421012d9ce3dec75b23d6d3dac
SHA1 62bb1f88eb6207caa946eb101d8e5c5a2c56df7f
SHA256 ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2
SHA512 d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d

memory/4972-66-0x000000007461E000-0x000000007461F000-memory.dmp

memory/4972-67-0x00000000045C0000-0x00000000045F6000-memory.dmp

memory/4972-69-0x0000000004CC0000-0x00000000052E8000-memory.dmp

memory/4972-68-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4972-70-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4972-71-0x0000000004C20000-0x0000000004C42000-memory.dmp

memory/4972-72-0x00000000053F0000-0x0000000005456000-memory.dmp

memory/4972-73-0x0000000005460000-0x00000000054C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5jba5cp.sgj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4972-79-0x0000000005590000-0x00000000058E4000-memory.dmp

memory/4972-84-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

memory/4972-85-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/4972-86-0x0000000006160000-0x00000000061F6000-memory.dmp

memory/4972-87-0x00000000060E0000-0x00000000060FA000-memory.dmp

memory/4972-88-0x0000000006130000-0x0000000006152000-memory.dmp

memory/4972-89-0x0000000007350000-0x00000000078F4000-memory.dmp

memory/4972-92-0x0000000074610000-0x0000000074DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe

MD5 fc1fb033d57f72089fb4762245a8b18d
SHA1 7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e
SHA256 a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2
SHA512 cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

C:\Users\Admin\AppData\Local\Temp\3h0s6z0g.tmp

MD5 9e7bb9c31083cc3a0f561d12311c9d83
SHA1 9102b88339566d5f0490c25180632043c8bb1809
SHA256 2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1
SHA512 1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

memory/1132-128-0x0000000005EA0000-0x00000000061F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb7e9821c8dc8d4430e3db46335ff88f
SHA1 5e7e314d5bb4663085139cf98dee612033250663
SHA256 5e194cd7f357bc48b5a45bcd0684509b0776508e6a9f504a9cda9916469f59bf
SHA512 95921600ae3fe26c8e64bd6eaa9eb365b7b3aeaccb3eb25e4c5d2540bc778cb4dcf3a96ef472e62db01eb33b075608408c4435f747e409474149830d84695796

memory/1132-130-0x0000000006A70000-0x0000000006ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\RemoveSecHealthApp.ps1

MD5 e578450ec12ca326ee55a47f121defa3
SHA1 5c9ac60207ce7bf80ca0cd075ec196deba41f2cc
SHA256 b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32
SHA512 1d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b

memory/1132-133-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/1132-132-0x0000000007670000-0x00000000076A2000-memory.dmp

memory/1132-143-0x00000000076B0000-0x00000000076CE000-memory.dmp

memory/1132-144-0x0000000007780000-0x0000000007823000-memory.dmp

memory/1132-167-0x0000000007EB0000-0x000000000852A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\autB141.tmp

MD5 96c0e61f3298cb745b021f67e7dd0d48
SHA1 a61adbe460c68a3087ff1ba75620dbb86af28e40
SHA256 3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333
SHA512 dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

C:\Users\Admin\AppData\Local\Temp\autB130.tmp

MD5 09ca17eb552722bd7004097f59b07518
SHA1 36cf9da188460542e58acb97fa0ef0bfd9a4e172
SHA256 365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b
SHA512 3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

C:\Users\Admin\AppData\Local\Temp\autB12F.tmp

MD5 4a83df1d945c2f5801ed59650d7460eb
SHA1 31827890e1df99268c0f80dcb26774225e4c3a5d
SHA256 2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8
SHA512 eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

memory/1132-194-0x0000000007890000-0x000000000789A000-memory.dmp

memory/1132-232-0x0000000007A30000-0x0000000007A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg

MD5 1ed85b1fd58eaf5b12f230e9f861efa5
SHA1 e34470a63ae079199a420e04494ccd723ebccfc5
SHA256 bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f
SHA512 3c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg

MD5 dc3b2b1aad7850d42d5154f0e11a3121
SHA1 f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe
SHA256 c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3
SHA512 f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\DismHost.exe

MD5 e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256 e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA512 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\DismCorePS.dll

MD5 a033f16836d6f8acbe3b27b614b51453
SHA1 716297072897aea3ec985640793d2cdcbf996cf9
SHA256 e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512 ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismprov.dll

MD5 490be3119ea17fa29329e77b7e416e80
SHA1 c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256 ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA512 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\OSProvider.dll

MD5 db4c3a07a1d3a45af53a4cf44ed550ad
SHA1 5dea737faadf0422c94f8f50e9588033d53d13b3
SHA256 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA512 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\LogProvider.dll

MD5 815a4e7a7342224a239232f2c788d7c0
SHA1 430b7526d864cfbd727b75738197230d148de21a
SHA256 a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA512 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg

MD5 577d9bbc801d8c6df2d0f0b1aff298f4
SHA1 4c42779c0061075629692ad18f15adc369d8ca79
SHA256 99fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409
SHA512 3bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e

C:\Windows\Logs\DISM\dism.log

MD5 b04906ec77a77ebdf04b27077ae690a6
SHA1 42a4c1efa93774e6327496fbc167b67bd1015478
SHA256 ded5df56838c1923a040943e6136a86e0713e0bf42669721a66cccc6f4341e03
SHA512 b144b56bfb93addef4794d9bd5d5cd5b5ca4717d792bc79ffeb6dcfb3fb024a6ca8cec53de54e2f3d1acc6a9bddf8387843000312fdba5fc7d5e5d1299a905e9

C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\AppxProvider.dll

MD5 a7927846f2bd5e6ab6159fbe762990b1
SHA1 8e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA512 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg

MD5 ec521e7934667f3b0c3000b88c020b47
SHA1 a1cab54cbe572995cd075a6723c0fff038551711
SHA256 4aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04
SHA512 c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg

MD5 bec3d75cd3a619595427f9a122adfd25
SHA1 1003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e
SHA256 de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c
SHA512 56827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49

C:\Users\Admin\AppData\Local\Temp\3f4x4i0p.tmp

MD5 1524a28cbc30e70c60bc6cf977f82229
SHA1 664f15cea146b654ec4a60c76071ff83c4dfa651
SHA256 8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b
SHA512 7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg

MD5 3efc2ed4909f33432d597d950d9cf9eb
SHA1 38603fe0665fbfa8c2a2c45fba11800433e6a8f4
SHA256 8143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c
SHA512 743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee

C:\Windows\Logs\DISM\dism.log

MD5 830b5933e8dd680cad7a039b1e02136a
SHA1 3371f5de2143cef5e20f7793358798e16941e4ee
SHA256 56f9183da541340d296223840edabd8251ea86c66c4947f4f7510ab6fc4eb5fc
SHA512 478878657efc1e2d8cf0794c572ad1d7461843bff0384fbfa897ed715103fb814df5a36fe2d2c5fb64a02baf2bd40724873dbbb61cc60f027eae1f569ce867ef

memory/1132-961-0x0000000007A10000-0x0000000007A26000-memory.dmp

memory/1132-962-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/1132-963-0x0000000007B80000-0x0000000007BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg

MD5 6a7ac93420d7960a4d7f2bbe805e9ff7
SHA1 e228c0525def730eafb57044886b0c673900aa1c
SHA256 83f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb
SHA512 ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg

MD5 4193b815bedd1a921e38b6724ad2df63
SHA1 d371e4643149d0bd2cab2e8090fadab78398728e
SHA256 f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f
SHA512 cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg

MD5 d111b6ca48aae35dd3632e8500c7ff22
SHA1 d812fcec4a3aba1e3f129912d122d5c7bf02d44a
SHA256 79927259642e2b0d0dc47e9faa2c15e30e07af62ade53f35291caab84eedde72
SHA512 13027c715eec3bb92788071d2113efd30a0ac0ba2df3f003ad9ce15d65b2d34ff3500a263435f58ff440d1a5d92c17a4c2a89f1a1aef50d6e49295cc6582e160

C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg

MD5 c4ab563b3e79a74d01d8468ecd635a58
SHA1 4972163b56f7cde494b7087e69f4a23a5b34a9a4
SHA256 f658b566041cc2b9b56ac864dc09fcb285d4f6cff3ca071976887627df3645a4
SHA512 5f7c034a4f286a3232d65a8a1f687bf8d4f7d0174f54848b4c7cbe8ae69a383adbd985f4c65a007fe88ca8ee85ba12826d08ea9bd89aa56b10253590a850f8c2