Check the creation date or last logon of each:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run investigating windows 2.0 tryhackme
certutil -hashfile C:\path\to\file MD5
"What is the command that the attacker executed to disable Windows Defender?" Check the creation date or last logon of