Analysis Overview
SHA256
704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
Threat Level: Known bad
The file DefenderRemover (2).exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
UAC bypass
Modifies firewall policy service
Windows security bypass
Modifies security service
Modify Registry: Disable Windows Driver Blocklist
Loads dropped DLL
Boot or Logon Autostart Execution: LSASS Driver
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Indicator Removal: File Deletion
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs .reg file with regedit
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 16:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 16:21
Reported
2024-11-05 16:23
Platform
win7-20240903-en
Max time kernel
69s
Max time network
83s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\regedit.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\SysWOW64\regedit.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security | C:\Windows\regedit.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions | C:\Windows\regedit.exe | N/A |
Modify Registry: Disable Windows Driver Blocklist
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" | C:\Windows\regedit.exe | N/A |
Boot or Logon Autostart Execution: LSASS Driver
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" | C:\Windows\regedit.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Windows\regedit.exe | N/A |
Indicator Removal: File Deletion
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Security Health\State | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Edge\SmartScreenEnabled\ = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Security Health | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\Version | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\Elevation | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder | C:\Windows\regedit.exe | N/A |
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe
"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c .\Script_Run.bat
C:\Windows\SysWOW64\choice.exe
choice /C:yas /N
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241105162241.log C:\Windows\Logs\CBS\CbsPersist_20241105162241.cab
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "194223660453074852-526454910-106110664419880930472794987571902071312274225688"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "708259886-584406424-129302424-1780450336-462256511-960555870340997988782528271"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5642803151429806403-3547610521022714023921698885-1479706827-1101874266939449979"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1411542842-16744639511034349091858210301-22643756415321081601715263801870295164"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1012233847-314622622114799820-1814215941054314816-413591086807587091516618140"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1585183951-1351622258-170208819319837239701613685686-21404418071652166745-1438334162"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "66668048911085512351867348045-115626097315197658121413841540-393038747-1838518168"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-994438425130759331116691293671786760435-14586724227651154781655446695-1278724749"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9151360531910444911-2634892701987257915-89504012210106233391944291150964268701"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-70868699911250104141378527283-961858413111870610-68263274691228917-449064307"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-117842091115242740721757520273-527437495-141413450-14693757801383664598802988770"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "355254960683047442-42918919114915667611199798-280480174-137899975-444766769"
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\SysWOW64\timeout.exe
timeout 10
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Script_Run.bat
| MD5 | f5f2b8421012d9ce3dec75b23d6d3dac |
| SHA1 | 62bb1f88eb6207caa946eb101d8e5c5a2c56df7f |
| SHA256 | ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2 |
| SHA512 | d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
| MD5 | fc1fb033d57f72089fb4762245a8b18d |
| SHA1 | 7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e |
| SHA256 | a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2 |
| SHA512 | cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d35d0dc0152caf5ed54ce32708486ea7 |
| SHA1 | ce38c6979611e5c2440dc0024422e1007a7ccf51 |
| SHA256 | fefeec2a8b73523f3cc5cc7bd92191fae6528abd1a0b06b88e2084e4d4db4b69 |
| SHA512 | eb25092cda6994466c862b265ae890ddb0e53409d972f788584d8412336646952eddcaf633b6c75385d43a622d9093801a6f6a31c649570a8aa3c801eb259a23 |
C:\Users\Admin\AppData\Local\Temp\2i3f0m8z.tmp
| MD5 | 9e7bb9c31083cc3a0f561d12311c9d83 |
| SHA1 | 9102b88339566d5f0490c25180632043c8bb1809 |
| SHA256 | 2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1 |
| SHA512 | 1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699 |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\RemoveSecHealthApp.ps1
| MD5 | e578450ec12ca326ee55a47f121defa3 |
| SHA1 | 5c9ac60207ce7bf80ca0cd075ec196deba41f2cc |
| SHA256 | b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32 |
| SHA512 | 1d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b |
C:\Users\Admin\AppData\Local\Temp\autBCF9.tmp
| MD5 | 4a83df1d945c2f5801ed59650d7460eb |
| SHA1 | 31827890e1df99268c0f80dcb26774225e4c3a5d |
| SHA256 | 2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8 |
| SHA512 | eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2 |
C:\Users\Admin\AppData\Local\Temp\autBD57.tmp
| MD5 | 09ca17eb552722bd7004097f59b07518 |
| SHA1 | 36cf9da188460542e58acb97fa0ef0bfd9a4e172 |
| SHA256 | 365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b |
| SHA512 | 3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf |
C:\Users\Admin\AppData\Local\Temp\autBD58.tmp
| MD5 | 96c0e61f3298cb745b021f67e7dd0d48 |
| SHA1 | a61adbe460c68a3087ff1ba75620dbb86af28e40 |
| SHA256 | 3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333 |
| SHA512 | dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg
| MD5 | dc3b2b1aad7850d42d5154f0e11a3121 |
| SHA1 | f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe |
| SHA256 | c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3 |
| SHA512 | f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg
| MD5 | 1ed85b1fd58eaf5b12f230e9f861efa5 |
| SHA1 | e34470a63ae079199a420e04494ccd723ebccfc5 |
| SHA256 | bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f |
| SHA512 | 3c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594 |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg
| MD5 | 577d9bbc801d8c6df2d0f0b1aff298f4 |
| SHA1 | 4c42779c0061075629692ad18f15adc369d8ca79 |
| SHA256 | 99fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409 |
| SHA512 | 3bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg
| MD5 | ec521e7934667f3b0c3000b88c020b47 |
| SHA1 | a1cab54cbe572995cd075a6723c0fff038551711 |
| SHA256 | 4aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04 |
| SHA512 | c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg
| MD5 | bec3d75cd3a619595427f9a122adfd25 |
| SHA1 | 1003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e |
| SHA256 | de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c |
| SHA512 | 56827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49 |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg
| MD5 | 3efc2ed4909f33432d597d950d9cf9eb |
| SHA1 | 38603fe0665fbfa8c2a2c45fba11800433e6a8f4 |
| SHA256 | 8143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c |
| SHA512 | 743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg
| MD5 | 6a7ac93420d7960a4d7f2bbe805e9ff7 |
| SHA1 | e228c0525def730eafb57044886b0c673900aa1c |
| SHA256 | 83f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb |
| SHA512 | ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac |
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg
| MD5 | 4193b815bedd1a921e38b6724ad2df63 |
| SHA1 | d371e4643149d0bd2cab2e8090fadab78398728e |
| SHA256 | f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f |
| SHA512 | cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8 |
C:\Users\Admin\AppData\Local\Temp\1w4c8l4p.tmp
| MD5 | db2eb3078f924bc0049ae6e98653f2b0 |
| SHA1 | fc058c55c2b670dea826418aebc602ad737f6285 |
| SHA256 | f37b5230deb0e25cd3721e8b6653036b26dde8c7d567e4639458192daacef9f7 |
| SHA512 | dca8ec245c856def9ff56536537b91456c967966939e94b602c085282ebbe5c95e12bb9f48772d3dbd43087ce3317debdc87bf635f3972b048ea4ec811d1b50a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 16:21
Reported
2024-11-05 16:22
Platform
win10v2004-20241007-en
Max time kernel
26s
Max time network
44s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\regedit.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System | C:\Windows\regedit.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security | C:\Windows\regedit.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
Modify Registry: Disable Windows Driver Blocklist
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" | C:\Windows\regedit.exe | N/A |
Boot or Logon Autostart Execution: LSASS Driver
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" | C:\Windows\regedit.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Windows\regedit.exe | N/A |
Indicator Removal: File Deletion
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenEnabled | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\DefaultIcon | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open\command | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Application | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-cxh | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe
"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\Script_Run.bat
C:\Windows\SysWOW64\choice.exe
choice /C:yas /N
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismhost.exe {D5D30325-AA08-49F3-913E-DC1E86598E65}
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveStartupEntries.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableUAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\DisableVBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Windows\SysWOW64\timeout.exe
timeout 10
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ac055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Script_Run.bat
| MD5 | f5f2b8421012d9ce3dec75b23d6d3dac |
| SHA1 | 62bb1f88eb6207caa946eb101d8e5c5a2c56df7f |
| SHA256 | ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2 |
| SHA512 | d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d |
memory/4972-66-0x000000007461E000-0x000000007461F000-memory.dmp
memory/4972-67-0x00000000045C0000-0x00000000045F6000-memory.dmp
memory/4972-69-0x0000000004CC0000-0x00000000052E8000-memory.dmp
memory/4972-68-0x0000000074610000-0x0000000074DC0000-memory.dmp
memory/4972-70-0x0000000074610000-0x0000000074DC0000-memory.dmp
memory/4972-71-0x0000000004C20000-0x0000000004C42000-memory.dmp
memory/4972-72-0x00000000053F0000-0x0000000005456000-memory.dmp
memory/4972-73-0x0000000005460000-0x00000000054C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5jba5cp.sgj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4972-79-0x0000000005590000-0x00000000058E4000-memory.dmp
memory/4972-84-0x0000000005BE0000-0x0000000005BFE000-memory.dmp
memory/4972-85-0x0000000005C10000-0x0000000005C5C000-memory.dmp
memory/4972-86-0x0000000006160000-0x00000000061F6000-memory.dmp
memory/4972-87-0x00000000060E0000-0x00000000060FA000-memory.dmp
memory/4972-88-0x0000000006130000-0x0000000006152000-memory.dmp
memory/4972-89-0x0000000007350000-0x00000000078F4000-memory.dmp
memory/4972-92-0x0000000074610000-0x0000000074DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\PowerRun.exe
| MD5 | fc1fb033d57f72089fb4762245a8b18d |
| SHA1 | 7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e |
| SHA256 | a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2 |
| SHA512 | cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
C:\Users\Admin\AppData\Local\Temp\3h0s6z0g.tmp
| MD5 | 9e7bb9c31083cc3a0f561d12311c9d83 |
| SHA1 | 9102b88339566d5f0490c25180632043c8bb1809 |
| SHA256 | 2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1 |
| SHA512 | 1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699 |
memory/1132-128-0x0000000005EA0000-0x00000000061F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb7e9821c8dc8d4430e3db46335ff88f |
| SHA1 | 5e7e314d5bb4663085139cf98dee612033250663 |
| SHA256 | 5e194cd7f357bc48b5a45bcd0684509b0776508e6a9f504a9cda9916469f59bf |
| SHA512 | 95921600ae3fe26c8e64bd6eaa9eb365b7b3aeaccb3eb25e4c5d2540bc778cb4dcf3a96ef472e62db01eb33b075608408c4435f747e409474149830d84695796 |
memory/1132-130-0x0000000006A70000-0x0000000006ABC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\RemoveSecHealthApp.ps1
| MD5 | e578450ec12ca326ee55a47f121defa3 |
| SHA1 | 5c9ac60207ce7bf80ca0cd075ec196deba41f2cc |
| SHA256 | b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32 |
| SHA512 | 1d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b |
memory/1132-133-0x00000000704B0000-0x00000000704FC000-memory.dmp
memory/1132-132-0x0000000007670000-0x00000000076A2000-memory.dmp
memory/1132-143-0x00000000076B0000-0x00000000076CE000-memory.dmp
memory/1132-144-0x0000000007780000-0x0000000007823000-memory.dmp
memory/1132-167-0x0000000007EB0000-0x000000000852A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\autB141.tmp
| MD5 | 96c0e61f3298cb745b021f67e7dd0d48 |
| SHA1 | a61adbe460c68a3087ff1ba75620dbb86af28e40 |
| SHA256 | 3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333 |
| SHA512 | dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e |
C:\Users\Admin\AppData\Local\Temp\autB130.tmp
| MD5 | 09ca17eb552722bd7004097f59b07518 |
| SHA1 | 36cf9da188460542e58acb97fa0ef0bfd9a4e172 |
| SHA256 | 365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b |
| SHA512 | 3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf |
C:\Users\Admin\AppData\Local\Temp\autB12F.tmp
| MD5 | 4a83df1d945c2f5801ed59650d7460eb |
| SHA1 | 31827890e1df99268c0f80dcb26774225e4c3a5d |
| SHA256 | 2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8 |
| SHA512 | eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2 |
memory/1132-194-0x0000000007890000-0x000000000789A000-memory.dmp
memory/1132-232-0x0000000007A30000-0x0000000007A56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableAntivirusProtection.reg
| MD5 | 1ed85b1fd58eaf5b12f230e9f861efa5 |
| SHA1 | e34470a63ae079199a420e04494ccd723ebccfc5 |
| SHA256 | bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f |
| SHA512 | 3c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594 |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg
| MD5 | dc3b2b1aad7850d42d5154f0e11a3121 |
| SHA1 | f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe |
| SHA256 | c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3 |
| SHA512 | f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa |
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\DisableDefenderPolicies.reg
| MD5 | 577d9bbc801d8c6df2d0f0b1aff298f4 |
| SHA1 | 4c42779c0061075629692ad18f15adc369d8ca79 |
| SHA256 | 99fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409 |
| SHA512 | 3bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e |
C:\Windows\Logs\DISM\dism.log
| MD5 | b04906ec77a77ebdf04b27077ae690a6 |
| SHA1 | 42a4c1efa93774e6327496fbc167b67bd1015478 |
| SHA256 | ded5df56838c1923a040943e6136a86e0713e0bf42669721a66cccc6f4341e03 |
| SHA512 | b144b56bfb93addef4794d9bd5d5cd5b5ca4717d792bc79ffeb6dcfb3fb024a6ca8cec53de54e2f3d1acc6a9bddf8387843000312fdba5fc7d5e5d1299a905e9 |
C:\Users\Admin\AppData\Local\Temp\156F6750-01FD-4E8E-9598-1B7AC03AA9C8\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\NomoreDelayandTimeouts.reg
| MD5 | ec521e7934667f3b0c3000b88c020b47 |
| SHA1 | a1cab54cbe572995cd075a6723c0fff038551711 |
| SHA256 | 4aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04 |
| SHA512 | c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg
| MD5 | bec3d75cd3a619595427f9a122adfd25 |
| SHA1 | 1003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e |
| SHA256 | de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c |
| SHA512 | 56827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49 |
C:\Users\Admin\AppData\Local\Temp\3f4x4i0p.tmp
| MD5 | 1524a28cbc30e70c60bc6cf977f82229 |
| SHA1 | 664f15cea146b654ec4a60c76071ff83c4dfa651 |
| SHA256 | 8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b |
| SHA512 | 7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50 |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveDefenderTasks.reg
| MD5 | 3efc2ed4909f33432d597d950d9cf9eb |
| SHA1 | 38603fe0665fbfa8c2a2c45fba11800433e6a8f4 |
| SHA256 | 8143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c |
| SHA512 | 743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee |
C:\Windows\Logs\DISM\dism.log
| MD5 | 830b5933e8dd680cad7a039b1e02136a |
| SHA1 | 3371f5de2143cef5e20f7793358798e16941e4ee |
| SHA256 | 56f9183da541340d296223840edabd8251ea86c66c4947f4f7510ab6fc4eb5fc |
| SHA512 | 478878657efc1e2d8cf0794c572ad1d7461843bff0384fbfa897ed715103fb814df5a36fe2d2c5fb64a02baf2bd40724873dbbb61cc60f027eae1f569ce867ef |
memory/1132-961-0x0000000007A10000-0x0000000007A26000-memory.dmp
memory/1132-962-0x0000000007AF0000-0x0000000007AFA000-memory.dmp
memory/1132-963-0x0000000007B80000-0x0000000007BA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoverofDefenderContextMenu.reg
| MD5 | 6a7ac93420d7960a4d7f2bbe805e9ff7 |
| SHA1 | e228c0525def730eafb57044886b0c673900aa1c |
| SHA256 | 83f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb |
| SHA512 | ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveServices.reg
| MD5 | 4193b815bedd1a921e38b6724ad2df63 |
| SHA1 | d371e4643149d0bd2cab2e8090fadab78398728e |
| SHA256 | f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f |
| SHA512 | cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8 |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveShellAssociation.reg
| MD5 | d111b6ca48aae35dd3632e8500c7ff22 |
| SHA1 | d812fcec4a3aba1e3f129912d122d5c7bf02d44a |
| SHA256 | 79927259642e2b0d0dc47e9faa2c15e30e07af62ade53f35291caab84eedde72 |
| SHA512 | 13027c715eec3bb92788071d2113efd30a0ac0ba2df3f003ad9ce15d65b2d34ff3500a263435f58ff440d1a5d92c17a4c2a89f1a1aef50d6e49295cc6582e160 |
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Remove_defender\RemoveSignatureUpdates.reg
| MD5 | c4ab563b3e79a74d01d8468ecd635a58 |
| SHA1 | 4972163b56f7cde494b7087e69f4a23a5b34a9a4 |
| SHA256 | f658b566041cc2b9b56ac864dc09fcb285d4f6cff3ca071976887627df3645a4 |
| SHA512 | 5f7c034a4f286a3232d65a8a1f687bf8d4f7d0174f54848b4c7cbe8ae69a383adbd985f4c65a007fe88ca8ee85ba12826d08ea9bd89aa56b10253590a850f8c2 |