I would assume any machine not owned by me is fully compromised and there is no recovery possible. And treat it accordingly, such as using it just for the purpose the owner of the machine dictates assuming I value that relationship.

The startup script you blocked could have just been a decoy. And set off a red flag.

A lot of these EDR's operate in kernel space.