ALPHV BlackCat Ransomware - Windows Defender Disablement via PowerShell and Registry

Detects PowerShell and service control commands used by ALPHV BlackCat ransomware operators to disable Windows Defender and related AV services before deploying ransomware payload, consistent with pre-encryption TTPs documented in the DOJ BlackCat disruption case where two operators pleaded guilty to targeting multiple U.S. victims