Weaponizing Legitimate Low-Level Tools: How Ransomware Evades Antivirus Protections

### Executive Summary This report analyzes how ransomware operators increasingly abuse legitimate low-level administrative tools (e.g., Process Hacker, IOBit Unlocker, PowerRun, kernel debuggers) to disable antivirus/EDR, gain SYSTEM/kernel privileges, steal credentials, and deploy ransomware; it maps these behaviors to MITRE ATT&CK, provides live campaign examples and emerging trends (including RaaS antivirus killers and kernel-level escalation), and offers detection, incident response, and hardening recommendations.