463a64d183f90599991de74c1b48330ad796fcd7aa733ac1a9be131eaa80618c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe

Modifies firewall policy service 3 TTPs 12 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	regedit.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	regedit.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe

Windows security bypass 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3500	bcdedit.exe
1100	bcdedit.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\WdmCompanionFilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\stream.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\SensorsCx.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\Microsoft.Bluetooth.AvrcpTransport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\parport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\VerifierExt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tunnel.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbehci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\storqosflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\wpdmtpdr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UsbPmApi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kbdclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wmiacpi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Acx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mup.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\urscx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\IPMIDRV.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\Microsoft.Bluetooth.Profiles.HidOverGatt.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wfplwfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\umpass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winhvr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dfsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refsv1.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mshwnclx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WppRecorder.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mcd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\partmgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmgencounter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wdf01000.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\VMBusHID.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vpci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bthmodem.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dumpata.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdyboost.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dam.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\stornvme.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wanarp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\condrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\qwavedrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wof.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\refs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winhv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cnghwassist.sys	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 2 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

persistence credential_access

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	regedit.exe

Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 2 IoCs

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

LSASS Driver

T1547.008

LSASS Memory

T1003.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0"	regedit.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\uk-UA\PhotoScreensaver.scr.mui	cmd.exe
File opened for modification	C:\Windows\System32\Dism\it-IT\CbsProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\dxgkrnl.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\provsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\certcredprovider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\IOTENT~1\IoTEnterprise-ppdlic.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\Configuration\BaseRegistration\ja-JP\MSFT_DSCMetaConfiguration.mfl	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\runas.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\sechost.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\find.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\klist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\psmsrv.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\it-IT\ArchiveResources.psd1	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\SharedRealitySvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\scansetting.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\joy.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\SCardDlg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\BWContextHandler.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\SERVER~1\ServerRdsh-ppdlic.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\appbackgroundtask.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\wmipicmp.mof	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\FXSUTILITY.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\SDFLauncher.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\MSVidCtl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\zh-TW\fms.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\hidir.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netvf63a.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\ResetEngine.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\utcutil.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\wersvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\BCP47mrm.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\csrss.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_167948d0c94abc27\mdmfj2.inf	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\AudioSes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\MicrosoftEdgeCP.exe	cmd.exe
File opened for modification	C:\Windows\System32\PrintBrmUi.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\SDBUS~1.INF\sdbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\rawsilo.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\ajrouter.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\IME\SHARED\IMESEARCHPS.DLL	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\usbmon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\devenum.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\imaadp32.acm.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\wiadss.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\regsvr32.exe	cmd.exe
File opened for modification	C:\Windows\System32\Speech_OneCore\common\de-DE\DictationCommands.0407.grxml	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\workfolderssvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\gpprefcl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\LockScreenContent.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\LanguageOverlayUtil.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_10017.NLS	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\fingerprintcredential.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\authfwgp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\halextintclpiodma.inf_amd64_7f59f2c73a7fab14\HalExtIntcLpioDMA.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NTPRIN~3.INF\Amd64\STDDTYPE.GDL	cmd.exe
File opened for modification	C:\Windows\System32\en-US\wcnwiz.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\Windows.Media.MediaControl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\wlanmm.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\AppVStreamMap.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_1256.NLS	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\ConsentUX.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\EmbeddedLockdownWmi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\cscui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\TransliterationRanker.dll	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\beam_im.cur	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI9F11~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI7FAF~1.CAT	cmd.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\phone.png	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\UKRAINE.TXT	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\V20~1.507\System.EnterpriseServices.Wrapper.dll	cmd.exe
File opened for modification	C:\Windows\PolicyDefinitions\TabletPCInputPanel.admx	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\RSATCE~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-VmChipset-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\rescache\_merged\330034~1\452203~1.PRI	cmd.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\hc1.theme	cmd.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\es-ES\CL_LocalizationData.psd1	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\Power\de-DE\Power_Troubleshooter.psd1	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\Video\es-ES\CL_LocalizationData.psd1	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\PDDOM~1.API	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Workflow.ComponentModel.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.ServiceModel.Activation.resources.dll	cmd.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\hc2.theme	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA4094~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HY099A~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI2A31~1.CAT	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Data.Entity.Design.resources.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MID3CC~1.CAT	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\less.js	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearCookies.png	cmd.exe
File opened for modification	C:\Windows\Globalization\ELS\SPELLD~1\Fluency\uk-UA\emoji_bg_c.lm2	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\1926E8~1\100~1.402\F_9587~1	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA47EA~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-LibreSSL-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI1322~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MUCBE7~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Security-SPP-Component-SKU-Enterprise-Default-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\Images\i_clearOnNavigate.png	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_ProcessPrinterjobs.ps1	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\System.Security.Resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll	cmd.exe
File opened for modification	C:\Windows\rescache\_merged\398301~1\229322~1.PRI	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI5785~1.CAT	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\Power\uk-UA\RS_ResetDisplayIdleTimeout.psd1	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\WINDOW~3\DiagPackage.diagpkg	cmd.exe
File opened for modification	C:\Windows\INF\ipoib6x.inf	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA4AF8~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIA3D9~1.CAT	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\notAFunctionIconMapped.png	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LAC5E1~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\LANGUA~4.CAT	cmd.exe
File opened for modification	C:\Windows\INF\intelpmax.inf	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\TESSEL~1.X3D	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Data.Linq.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\V20~1.507\fr\aspnet_regbrowsers.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\default.win32manifest	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI792E~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI9A05~1.CAT	cmd.exe
File opened for modification	C:\Windows\Media\notify.wav	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Runtime.DurableInstancing.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\normnfd.nlp	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\3082\cscui.dll	cmd.exe
File opened for modification	C:\Windows\PolicyDefinitions\Printing.admx	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Loading.htm	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\de-DE\assets\ERRORP~1\needhvsi.html	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\pdferrorrenewrentallicense.html	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4356	powershell.exe
3756	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 64 IoCs

pid	Process
4144	timeout.exe
4624	timeout.exe
2544	timeout.exe
2096	timeout.exe
2216	timeout.exe
2100	timeout.exe
1148	timeout.exe
2344	timeout.exe
4576	timeout.exe
4932	timeout.exe
1716	timeout.exe
4800	timeout.exe
5080	timeout.exe
4180	timeout.exe
4412	timeout.exe
2452	timeout.exe
4632	timeout.exe
836	timeout.exe
3964	timeout.exe
2232	timeout.exe
3944	timeout.exe
2824	timeout.exe
3648	timeout.exe
2216	timeout.exe
2312	timeout.exe
1412	timeout.exe
1572	timeout.exe
3664	timeout.exe
3888	timeout.exe
5048	timeout.exe
3524	timeout.exe
4904	timeout.exe
3736	timeout.exe
1648	timeout.exe
4128	timeout.exe
3624	timeout.exe
4008	timeout.exe
4004	timeout.exe
1584	timeout.exe
2908	timeout.exe
1980	timeout.exe
3248	timeout.exe
412	timeout.exe
3620	timeout.exe
4448	timeout.exe
1216	timeout.exe
2008	timeout.exe
5028	timeout.exe
2376	timeout.exe
3764	timeout.exe
4604	timeout.exe
5100	timeout.exe
632	timeout.exe
4844	timeout.exe
4880	timeout.exe
2532	timeout.exe
4928	timeout.exe
1840	timeout.exe
3420	timeout.exe
4180	timeout.exe
512	timeout.exe
2372	timeout.exe
592	timeout.exe
5108	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers system information 1 TTPs 4 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
4904	systeminfo.exe
5096	systeminfo.exe
3792	systeminfo.exe
3964	systeminfo.exe

Kills process with taskkill 1 IoCs

pid	Process
396	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "1"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "1000"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "1000"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ThumbnailLivePreviewHoverTime = "1"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\PreventOverride = "0"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ThumbnailLivePreviewHoverTime = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\PreventOverride = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-cxh	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Application	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\DefaultIcon	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open\command	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0	regedit.exe

Runs .reg file with regedit 14 IoCs

pid	Process
4248	regedit.exe
5112	regedit.exe
1232	regedit.exe
548	regedit.exe
2824	regedit.exe
3844	regedit.exe
2424	regedit.exe
2268	regedit.exe
1592	regedit.exe
4464	regedit.exe
3008	regedit.exe
4760	regedit.exe
3068	regedit.exe
3848	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	powershell.exe
316	powershell.exe
3376	msedge.exe
3376	msedge.exe
744	msedge.exe
744	msedge.exe
2728	identity_helper.exe
2728	identity_helper.exe
4948	msedge.exe
4948	msedge.exe
592	msedge.exe
592	msedge.exe
4276	msedge.exe
4276	msedge.exe
1248	identity_helper.exe
1248	identity_helper.exe
2348	msedge.exe
2348	msedge.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
2356	msedge.exe
2356	msedge.exe
816	msedge.exe
816	msedge.exe
724	identity_helper.exe
724	identity_helper.exe
2092	msedge.exe
2092	msedge.exe
2376	PowerRun.exe
2376	PowerRun.exe
2260	PowerRun.exe
2260	PowerRun.exe
2260	PowerRun.exe
2260	PowerRun.exe
548	PowerRun.exe
548	PowerRun.exe
548	PowerRun.exe
548	PowerRun.exe
4348	PowerRun.exe
4348	PowerRun.exe
4348	PowerRun.exe
4348	PowerRun.exe
4360	PowerRun.exe
4360	PowerRun.exe
4360	PowerRun.exe
4360	PowerRun.exe
4820	PowerRun.exe
4820	PowerRun.exe
4820	PowerRun.exe
4820	PowerRun.exe
3964	PowerRun.exe
3964	PowerRun.exe
3940	PowerRun.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2624	OpenWith.exe
2700	OpenWith.exe
2376	PowerRun.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1972	taskmgr.exe
Token: SeSystemProfilePrivilege	1972	taskmgr.exe
Token: SeCreateGlobalPrivilege	1972	taskmgr.exe
Token: 33	1972	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1972	taskmgr.exe
Token: SeDebugPrivilege	2260	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2260	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2260	PowerRun.exe
Token: 0	2260	PowerRun.exe
Token: SeDebugPrivilege	548	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	548	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	548	PowerRun.exe
Token: SeDebugPrivilege	4348	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4348	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4348	PowerRun.exe
Token: 0	4348	PowerRun.exe
Token: SeDebugPrivilege	4360	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4360	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4360	PowerRun.exe
Token: SeDebugPrivilege	4820	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4820	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4820	PowerRun.exe
Token: 0	4820	PowerRun.exe
Token: SeDebugPrivilege	3964	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3964	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3964	PowerRun.exe
Token: SeDebugPrivilege	3940	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3940	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3940	PowerRun.exe
Token: 0	3940	PowerRun.exe
Token: SeDebugPrivilege	4960	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4960	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4960	PowerRun.exe
Token: SeDebugPrivilege	3636	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3636	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3636	PowerRun.exe
Token: 0	3636	PowerRun.exe
Token: SeDebugPrivilege	4312	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4312	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4312	PowerRun.exe
Token: SeDebugPrivilege	3756	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3756	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3756	PowerRun.exe
Token: 0	3756	PowerRun.exe
Token: SeDebugPrivilege	3972	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3972	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3972	PowerRun.exe
Token: SeDebugPrivilege	5048	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	5048	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	5048	PowerRun.exe
Token: 0	5048	PowerRun.exe
Token: SeDebugPrivilege	2092	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2092	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2092	PowerRun.exe
Token: SeDebugPrivilege	2972	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2972	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2972	PowerRun.exe
Token: 0	2972	PowerRun.exe
Token: SeDebugPrivilege	4084	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4084	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4084	PowerRun.exe
Token: SeDebugPrivilege	4056	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4056	PowerRun.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe
1972	taskmgr.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
2624	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2700	OpenWith.exe
2376	PowerRun.exe
2260	PowerRun.exe
548	PowerRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4392	744	msedge.exe	107
PID 744 wrote to memory of 4392	744	msedge.exe	107
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 812	744	msedge.exe	108
PID 744 wrote to memory of 3376	744	msedge.exe	109
PID 744 wrote to memory of 3376	744	msedge.exe	109
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110
PID 744 wrote to memory of 1232	744	msedge.exe	110

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pepe.jpg
1⤵
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /s /q C:
  2⤵
  - Kills process with taskkill
  PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9841246f8,0x7ff984124708,0x7ff984124718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17993494428812441932,16461779964283279378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Windows-Destroyer-main\Windows-Destroyer-main\destroy.bat" "
1⤵
- Drops file in System32 directory
PID:724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Windows-Destroyer-main\Windows-Destroyer-main\How do I use this.txt
1⤵
PID:3748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Windows-Destroyer-main\Windows-Destroyer-main\destroy.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Windows directory
PID:4524

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Windows-Destroyer-main\Windows-Destroyer-main\How do I use this.txt
1⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9841246f8,0x7ff984124708,0x7ff984124718
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,9831124000229343555,4553490087448288391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Install-Code.bat" "
1⤵
PID:412
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:4632
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  PID:2868
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:5080
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Install-Code.bat" "
1⤵
PID:3448
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:2532
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:2312
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:1216
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Install-Code.bat" "
1⤵
PID:3540
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:1412
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:4008
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:4928
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Engine-Code.bat" "
1⤵
PID:3480
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:5096
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3792
- C:\Windows\system32\tree.com
  tree C:\Users\Admin /F
  2⤵
  PID:1716
- C:\Windows\system32\tree.com
  tree /F
  2⤵
  PID:2376
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2100
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2096
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3964
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4604
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2372
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4004
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3764
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 3
  2⤵
  - Delays execution with timeout.exe
  PID:2216
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4180
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2344
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4904
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:5100
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3248
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2232
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4144
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4624
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:5028
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:412
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3620
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 3
  2⤵
  - Delays execution with timeout.exe
  PID:1148
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4412
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  PID:408
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:1584
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4932
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2376
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:1716
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3944
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:632
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2824
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3648
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2008
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3888
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3736
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:592
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:1840
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:5048
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4844
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4800
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3420
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2216
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  PID:3336
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 3
  2⤵
  - Delays execution with timeout.exe
  PID:1648
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 5
  2⤵
  - Delays execution with timeout.exe
  PID:4880
- C:\Windows\system32\msg.exe
  msg Admin "The product key has been successfully activated: W269N-WFGWX-YVC9B-4J6C9-T83GX"
  2⤵
  PID:4584
- C:\Windows\system32\msg.exe
  msg "Admin" "Windows has been successfully activated, please restart your PC to finish the activation."
  2⤵
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Install-Code.bat" "
1⤵
PID:2372
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:5108
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:4180
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  PID:4412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Engine-Code.bat" "
1⤵
PID:3736
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3964
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4904
- C:\Windows\system32\tree.com
  tree C:\Users\Admin /F
  2⤵
  PID:2496
- C:\Windows\system32\tree.com
  tree /F
  2⤵
  PID:4704
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:4128
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2452
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:3524
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2544
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 1
  2⤵
  - Delays execution with timeout.exe
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Windows-Destroyer-English-main\Windows-Destroyer-English-main\Install-Code.bat" "
1⤵
PID:1852
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:3624
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:1980
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:1572
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 2
  2⤵
  - Delays execution with timeout.exe
  PID:3664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9841246f8,0x7ff984124708,0x7ff984124718
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,17902439753929884449,9132707959490798386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1776

C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
"C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2376
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /P:525018
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2260
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /P:525018
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:548
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ /P:525018
      4⤵
      PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Script_Run.bat" "
1⤵
PID:2700
- C:\Windows\system32\choice.exe
  choice /C:yas /N
  2⤵
  PID:3620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Script_Run.bat"
1⤵
PID:2348
- C:\Windows\system32\choice.exe
  choice /C:yas /N
  2⤵
  PID:3836
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -noprofile -executionpolicy bypass -file "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\\RemoveSecHealthApp.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4356
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
      4⤵
      Modifies data under HKEY_USERS
      PID:4380
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
        5⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:3008
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
      4⤵
      PID:4400
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Modifies firewall policy service
        Windows security bypass
        Modifies data under HKEY_USERS
        Modifies registry class
        Runs .reg file with regedit
        
        PID:2824
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
      4⤵
      Modifies data under HKEY_USERS
      PID:2096
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
        5⤵
        Modifies firewall policy service
        Runs .reg file with regedit
        
        PID:4248
- C:\Windows\regedit.exe
  regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
  2⤵
  - Runs .reg file with regedit
  PID:3068
- C:\Windows\regedit.exe
  regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Modifies registry class
  - Runs .reg file with regedit
  PID:4760
- C:\Windows\regedit.exe
  regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
  2⤵
  - Modifies firewall policy service
  - Runs .reg file with regedit
  PID:548
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
      4⤵
      Modifies data under HKEY_USERS
      PID:3616
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
        5⤵
        Modifies firewall policy service
        UAC bypass
        Modify Registry: Disable Windows Driver Blocklist
        Boot or Logon Autostart Execution: LSASS Driver
        Modifies data under HKEY_USERS
        Modifies registry class
        Runs .reg file with regedit
        
        PID:5112
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
      4⤵
      PID:3736
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        5⤵
        
        PID:548
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
      4⤵
      Modifies data under HKEY_USERS
      PID:4400
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        5⤵
        
        PID:4976
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:3624
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        5⤵
        
        PID:5104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Script_Run.bat"
1⤵
PID:1456
- C:\Windows\system32\choice.exe
  choice /C:yas /N
  2⤵
  PID:3092
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -noprofile -executionpolicy bypass -file "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\\RemoveSecHealthApp.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3756
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
    3⤵
    PID:4604
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
      4⤵
      Modifies data under HKEY_USERS
      PID:4768
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
        5⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:3844
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
  2⤵
  PID:468
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
    3⤵
    PID:2452
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
      4⤵
      PID:5032
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Modifies firewall policy service
        Windows security bypass
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:2424
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
  2⤵
  PID:912
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
    3⤵
    PID:4028
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
      4⤵
      Modifies data under HKEY_USERS
      PID:4300
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
        5⤵
        Modifies firewall policy service
        Runs .reg file with regedit
        
        PID:1592
- C:\Windows\regedit.exe
  regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\NomoreDelayandTimeouts.reg"
  2⤵
  - Runs .reg file with regedit
  PID:3848
- C:\Windows\regedit.exe
  regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\Output.reg"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies firewall policy service
  - Windows security bypass
  - Runs .reg file with regedit
  PID:1232
- C:\Windows\regedit.exe
  regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_defender\RemoveShellAssociation.reg"
  2⤵
  - Modifies firewall policy service
  - Runs .reg file with regedit
  PID:2268
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun.exe regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
  2⤵
  PID:3632
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
    3⤵
    PID:1852
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
      4⤵
      PID:1216
    - - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\Remove_SecurityComp\Remove_SecurityComp.reg"
        5⤵
        Modifies firewall policy service
        UAC bypass
        Modify Registry: Disable Windows Driver Blocklist
        Boot or Logon Autostart Execution: LSASS Driver
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:4464
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
  2⤵
  PID:4008
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
    3⤵
    PID:3980
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
      4⤵
      Modifies data under HKEY_USERS
      PID:5000
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        5⤵
        
        PID:4284
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
  2⤵
  PID:2840
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
    3⤵
    PID:708
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
      4⤵
      Modifies data under HKEY_USERS
      PID:2700
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        5⤵
        
        PID:3888
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
  2⤵
  PID:3024
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
    3⤵
    PID:3268
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
      4⤵
      PID:1636
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        5⤵
        
        PID:2816
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
  2⤵
  PID:3824
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
    3⤵
    PID:4908
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:4356
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        5⤵
        
        PID:3748
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
  2⤵
  PID:5004
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
    3⤵
    PID:2020
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:4884
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        5⤵
        
        PID:3916
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
  2⤵
  PID:4632
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
    3⤵
    PID:3500
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
      4⤵
      PID:4332
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        5⤵
        
        PID:2376
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
  2⤵
  PID:5076
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
    3⤵
    PID:3540
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
      4⤵
      Modifies data under HKEY_USERS
      PID:3060
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        5⤵
        
        PID:672
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
  2⤵
  PID:4360
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
    3⤵
    PID:468
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
      4⤵
      PID:1232
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        5⤵
        
        PID:5000
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
  2⤵
  PID:3680
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
    3⤵
    PID:4768
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
      4⤵
      Modifies data under HKEY_USERS
      PID:4752
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        5⤵
        
        PID:4248
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
  2⤵
  PID:4880
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
    3⤵
    PID:5112
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
      4⤵
      PID:1052
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
        5⤵
        
        PID:4400
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
  2⤵
  PID:4404
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
    3⤵
    PID:2908
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
      4⤵
      Modifies data under HKEY_USERS
      PID:4460
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        5⤵
        
        PID:1048
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
  2⤵
  PID:2992
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
    3⤵
    PID:3212
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:2424
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
        5⤵
        
        PID:3632
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
  2⤵
  PID:2768
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
    3⤵
    PID:2536
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:2888
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
        5⤵
        
        PID:2964
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
  2⤵
  PID:1584
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
    3⤵
    PID:1312
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
      4⤵
      PID:1388
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
        5⤵
        
        PID:372
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
  2⤵
  PID:3952
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
    3⤵
    PID:4948
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:3368
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        5⤵
        
        PID:456
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1592
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
  2⤵
  PID:3056
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
    3⤵
    PID:3412
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:2444
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
        5⤵
        
        PID:4248
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
  2⤵
  PID:3024
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
    3⤵
    PID:4816
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
      4⤵
      PID:4768
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        5⤵
        
        PID:592
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
  2⤵
  PID:3848
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
    3⤵
    PID:5068
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:2952
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
        5⤵
        
        PID:3748
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
  2⤵
  PID:4992
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
    3⤵
    PID:5076
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
      4⤵
      PID:1400
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        5⤵
        
        PID:912
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
  2⤵
  PID:4872
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
    3⤵
    PID:3760
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
      4⤵
      PID:396
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
        5⤵
        
        PID:1544
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
  2⤵
  PID:964
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
    3⤵
    PID:3668
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:656
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        5⤵
        
        PID:1380
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
  2⤵
  PID:4624
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
    3⤵
    PID:2300
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:2604
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
        5⤵
        
        PID:2112
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
  2⤵
  PID:1152
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
    3⤵
    PID:2356
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:2200
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        5⤵
        
        PID:3156
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
  2⤵
  PID:1980
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
    3⤵
    PID:3492
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
      4⤵
      PID:1100
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        5⤵
        
        PID:4752
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
  2⤵
  PID:4416
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
    3⤵
    PID:3060
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
      4⤵
      PID:2312
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        5⤵
        
        PID:4884
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
  2⤵
  PID:1096
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
    3⤵
    PID:4880
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
      4⤵
      Modifies data under HKEY_USERS
      PID:4996
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        5⤵
        
        PID:2608
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
  2⤵
  PID:2124
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
    3⤵
    PID:5064
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
      4⤵
      PID:3924
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
        5⤵
        
        PID:3736
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
  2⤵
  PID:1020
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
    3⤵
    PID:4416
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:2024
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
        5⤵
        
        PID:232
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
  2⤵
  PID:2388
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
    3⤵
    PID:1668
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
      4⤵
      PID:3624
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        5⤵
        
        PID:2856
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
  2⤵
  PID:1152
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
    3⤵
    PID:644
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:3836
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        5⤵
        
        PID:1248
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
  2⤵
  PID:2268
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
    3⤵
    PID:3056
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:1776
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        5⤵
        
        PID:1048
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
  2⤵
  PID:1852
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
    3⤵
    PID:4100
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
      4⤵
      Modifies data under HKEY_USERS
      PID:2256
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        5⤵
        
        PID:2444
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
  2⤵
  PID:3824
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
    3⤵
    PID:3408
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
      4⤵
      PID:2452
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        5⤵
        
        PID:4996
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
  2⤵
  PID:4416
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
    3⤵
    PID:1840
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
      4⤵
      Modifies data under HKEY_USERS
      PID:3956
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        5⤵
        
        PID:3328
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
  2⤵
  PID:3888
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
    3⤵
    PID:3940
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
      4⤵
      PID:4284
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        5⤵
        
        PID:1052
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
  2⤵
  PID:656
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
    3⤵
    PID:5032
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
      4⤵
      Modifies data under HKEY_USERS
      PID:3456
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        5⤵
        
        PID:4088
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
  2⤵
  PID:4976
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
    3⤵
    PID:4172
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
      4⤵
      PID:1548
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        5⤵
        
        PID:2196
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3748
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
  2⤵
  PID:2444
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
    3⤵
    PID:2348
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:2992
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:1936
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
  2⤵
  PID:4624
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
    3⤵
    PID:3356
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      Modifies data under HKEY_USERS
      PID:2528
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:4984
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
  2⤵
  PID:4464
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
    3⤵
    PID:3960
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      Modifies data under HKEY_USERS
      PID:3548
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:3540
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
  2⤵
  PID:232
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
    3⤵
    PID:4488
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
      4⤵
      Modifies data under HKEY_USERS
      PID:208
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        5⤵
        
        PID:4116
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
  2⤵
  PID:5064
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
    3⤵
    PID:4604
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
      4⤵
      PID:2624
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        5⤵
        
        PID:3980
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
  2⤵
  PID:4172
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
    3⤵
    PID:2756
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
      4⤵
      PID:3888
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        5⤵
        
        PID:1380
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
  2⤵
  PID:2024
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
    3⤵
    PID:2972
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
      4⤵
      PID:3068
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        5⤵
        
        PID:1192
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
  2⤵
  PID:1668
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
    3⤵
    PID:1600
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
      4⤵
      PID:3840
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
        5⤵
        
        PID:2768
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
  2⤵
  PID:2424
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
    3⤵
    PID:4488
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
      4⤵
      PID:1100
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        5⤵
        
        PID:1084
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
  2⤵
  PID:1368
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
    3⤵
    PID:4028
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
      4⤵
      PID:3188
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        5⤵
        
        PID:1864
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
  2⤵
  PID:4404
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
    3⤵
    PID:2756
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
      4⤵
      PID:3824
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
        5⤵
        
        PID:1752
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4624
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
  2⤵
  PID:3940
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
    3⤵
    PID:2816
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
      4⤵
      PID:2280
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        5⤵
        
        PID:3932
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
  2⤵
  PID:3952
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
    3⤵
    PID:3092
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
      4⤵
      PID:1020
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        5⤵
        
        PID:3964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2964
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
  2⤵
  PID:2528
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
    3⤵
    PID:372
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
      4⤵
      PID:720
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        5⤵
        
        PID:3632
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
  2⤵
  PID:4552
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
    3⤵
    PID:3548
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
      4⤵
      PID:4464
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        5⤵
        
        PID:1852
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
  2⤵
  PID:3068
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
    3⤵
    PID:4880
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
      4⤵
      PID:2840
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        5⤵
        
        PID:1216
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
  2⤵
  PID:3840
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
    3⤵
    PID:4984
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
      4⤵
      PID:2260
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        5⤵
        
        PID:3624
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:232
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
  2⤵
  PID:1940
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
    3⤵
    PID:4544
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
      4⤵
      PID:4120
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        5⤵
        
        PID:1048
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
  2⤵
  PID:4004
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
    3⤵
    PID:3068
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
      4⤵
      PID:2940
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        5⤵
        
        PID:4832
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
  2⤵
  PID:2888
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
    3⤵
    PID:2020
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
      4⤵
      PID:4872
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        5⤵
        
        PID:836
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
  2⤵
  PID:4924
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
    3⤵
    PID:1340
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
      4⤵
      PID:1084
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
        5⤵
        
        PID:4548
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
  2⤵
  PID:4380
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
    3⤵
    PID:5052
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
      4⤵
      PID:5000
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        5⤵
        
        PID:1312
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:4576
- C:\Windows\system32\shutdown.exe
  shutdown /r /f /t 10
  2⤵
  PID:3988

C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
"C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe"
1⤵
PID:4972
- C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
  "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /P:1835556
  2⤵
  PID:212
- - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
    "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /P:1835556
    3⤵
    PID:1120
  - - C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe
      "C:\Users\Admin\Downloads\windows-defender-remover-main\windows-defender-remover-main\PowerRun.exe" /TI/ /P:1835556
      4⤵
      PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ver & echo Hi world!
        5⤵
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        5⤵
        
        PID:4880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f02055 /state1:0x41c64e6d
1⤵
PID:1192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

LSASS Driver

T1547.008

Print Processors

T1547.012

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

LSASS Driver

T1547.008

Print Processors

T1547.012

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery