Contains code to disable Windows Defender

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Disables service(s)

Modifies WinLogon for persistence

Modifies Windows Defender Real-time Protection settings

Deletes shadow copies

Ransomware often targets backup files to inhibit system recovery.

Modifies boot configuration data using bcdedit

Renames multiple (60) files with added filename extension

This suggests ransomware activity of encrypting all the files on the system.

Blocklisted process makes network request

Downloads MZ/PE file