Hi,
Thank you for posting your query. According to your description, the key point to solve this issue is disabling the msra.exe and quickassist.exe which the hackers may use. Here are some steps you can refer to.
In the Group Policy window for those users, on the left-hand side, drill down to User Configuration > Administrative Templates > System. On the right, find the “Run only specified Windows applications” setting and double-click it to open its properties dialog. If you want to block specific applications rather than restricting them, you would open the “Don’t run specified Windows applications” setting instead.
In the properties window that opens, click the “Enabled” option and then click the “Show” button.
In the “Show Contents” window, click each line in the list and type the name of the excecutable you want users to be able to run (or the name of apps you want to block if that’s what you’re doing instead). When you’re done building your list, click “OK.”
You can now exit the Local Group Policy window. To test your changes, sign in with one of the affected user accounts and try to launch an app to which the user should not have access. Instead of launching the app, you should see an error message.
What's more, it is highly suggested that you should deploy win10 Security Mode Anti-virus.
---If the suggestions above are helpful, please ACCEPT ANSWER. Really appreciate. This will also help others with similar issue to find this post quickly. ---