Windows Defender issued alerts because the “ntoskrnl.exe” file and specific files in the /arz directory were flagged as backdoors. However, these files are temporary and generated by rsync during synchronization, serving to playback recorded sessions on senhasegura.
The Windows Defender alert is a false positive, as the files contain commands and packets sent to the endpoint during session recording.