6b61a90ebc20baa1ee6ea5bc7c4b31c40531616c458b27d19511e4f57f5fbf67

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-EXE/hardening-apply.exe
Size

144KB
MD5

7bbc288f509b422098217675c173aea1
SHA1

03e89432aaf277af64032952388ec932fc234490
SHA256

402b31c398f6497c5cfc24e9ddcda0239d9b8c688d2217f2c00260f5b1674e49
SHA512

dd431b210fddc6ccc641dfaa8ae2fe3fdcee670dac93be03fbedaa1e6053ac5a85cbc7540808c25906d179847e7fc713a269d67e5c24d1edc714fb2a2ce3cf4f
SSDEEP

3072:Ipvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSCbXFwiepIO:o9VkhhrdYK94IgqHniOSyaZoc7QNPnPF

Score

10^/10

defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "0"	powershell.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	powershell.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
27	3676	powershell.exe
29	3676	powershell.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs

Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol

T1021.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "1"	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	hardening-apply.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1"	powershell.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Remote Services: SMB/Windows Admin Shares 1 TTPs 3 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes = 00000000	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes = 6e00650074006c006f0067006f006e002c00730061006d0072002c006c007300610072007000630000000000	powershell.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ossec-agent\active-response\active-responses.log	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3676	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Security	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Security	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Security = 0100148000000000000000001400000044000000020030000200000002401400070001000101000000000001000000000280140007000100010100000000000100000000020080000600000000001400ff011f0001010000000000051200000000001400ff011f0001010000000000051300000000001400ff011f0001010000000000050400000000001400a000120001010000000000010000000000001400a000120001010000000000050c00000000001400ff011f0001010000000000050b000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Security = 0100148000000000000000001400000044000000020030000200000002401400070001000101000000000001000000000280140007000100010100000000000100000000020080000600000000001400ff011f0001010000000000051200000000001400ff011f0001010000000000051300000000001400ff011f0001010000000000050400000000001400a000120001010000000000010000000000001400a000120001010000000000050c00000000001400ff011f0001010000000000050b000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Security	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Security = 0100148000000000000000001400000044000000020030000200000002401400070001000101000000000001000000000280140007000100010100000000000100000000020080000600000000001400ff011f0001010000000000051200000000001400ff011f0001010000000000051300000000001400ff011f0001010000000000050400000000001400a000120001010000000000010000000000001400a000120001010000000000050c00000000001400ff011f0001010000000000050b000000	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3676	powershell.exe
3676	powershell.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeBackupPrivilege	1504	srtasks.exe
Token: SeRestorePrivilege	1504	srtasks.exe
Token: SeSecurityPrivilege	1504	srtasks.exe
Token: SeTakeOwnershipPrivilege	1504	srtasks.exe
Token: SeBackupPrivilege	1504	srtasks.exe
Token: SeRestorePrivilege	1504	srtasks.exe
Token: SeSecurityPrivilege	1504	srtasks.exe
Token: SeTakeOwnershipPrivilege	1504	srtasks.exe
Token: SeIncreaseQuotaPrivilege	3676	powershell.exe
Token: SeSecurityPrivilege	3676	powershell.exe
Token: SeTakeOwnershipPrivilege	3676	powershell.exe
Token: SeLoadDriverPrivilege	3676	powershell.exe
Token: SeSystemProfilePrivilege	3676	powershell.exe
Token: SeSystemtimePrivilege	3676	powershell.exe
Token: SeProfSingleProcessPrivilege	3676	powershell.exe
Token: SeIncBasePriorityPrivilege	3676	powershell.exe
Token: SeCreatePagefilePrivilege	3676	powershell.exe
Token: SeBackupPrivilege	3676	powershell.exe
Token: SeRestorePrivilege	3676	powershell.exe
Token: SeShutdownPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeSystemEnvironmentPrivilege	3676	powershell.exe
Token: SeRemoteShutdownPrivilege	3676	powershell.exe
Token: SeUndockPrivilege	3676	powershell.exe
Token: SeManageVolumePrivilege	3676	powershell.exe
Token: 33	3676	powershell.exe
Token: 34	3676	powershell.exe
Token: 35	3676	powershell.exe
Token: 36	3676	powershell.exe
Token: SeSecurityPrivilege	984	auditpol.exe
Token: SeSecurityPrivilege	4580	auditpol.exe
Token: SeSecurityPrivilege	2880	auditpol.exe
Token: SeSecurityPrivilege	4152	auditpol.exe
Token: SeSecurityPrivilege	1944	auditpol.exe
Token: SeSecurityPrivilege	4400	auditpol.exe
Token: SeSecurityPrivilege	4860	auditpol.exe
Token: SeSecurityPrivilege	3240	auditpol.exe
Token: SeSecurityPrivilege	1440	auditpol.exe
Token: SeSecurityPrivilege	2352	auditpol.exe
Token: SeSecurityPrivilege	2772	auditpol.exe
Token: SeSecurityPrivilege	1148	auditpol.exe
Token: SeSecurityPrivilege	544	auditpol.exe
Token: SeSecurityPrivilege	1536	auditpol.exe
Token: SeSecurityPrivilege	3728	auditpol.exe
Token: SeSecurityPrivilege	3388	auditpol.exe
Token: SeSecurityPrivilege	2440	auditpol.exe
Token: SeSecurityPrivilege	1748	auditpol.exe
Token: SeSecurityPrivilege	1784	auditpol.exe
Token: SeSecurityPrivilege	4568	auditpol.exe
Token: SeSecurityPrivilege	3712	auditpol.exe
Token: SeSecurityPrivilege	1356	auditpol.exe
Token: SeSecurityPrivilege	3776	auditpol.exe
Token: SeSecurityPrivilege	1848	auditpol.exe
Token: SeSecurityPrivilege	3924	auditpol.exe
Token: SeSecurityPrivilege	3872	auditpol.exe
Token: SeSecurityPrivilege	1288	auditpol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3676	2480	hardening-apply.exe	83
PID 2480 wrote to memory of 3676	2480	hardening-apply.exe	83
PID 3676 wrote to memory of 2416	3676	powershell.exe	106
PID 3676 wrote to memory of 2416	3676	powershell.exe	106
PID 3676 wrote to memory of 1896	3676	powershell.exe	107
PID 3676 wrote to memory of 1896	3676	powershell.exe	107
PID 3676 wrote to memory of 4936	3676	powershell.exe	108
PID 3676 wrote to memory of 4936	3676	powershell.exe	108
PID 3676 wrote to memory of 4684	3676	powershell.exe	119
PID 3676 wrote to memory of 4684	3676	powershell.exe	119
PID 4684 wrote to memory of 2020	4684	net.exe	120
PID 4684 wrote to memory of 2020	4684	net.exe	120
PID 3676 wrote to memory of 4896	3676	powershell.exe	121
PID 3676 wrote to memory of 4896	3676	powershell.exe	121
PID 4896 wrote to memory of 5068	4896	net.exe	122
PID 4896 wrote to memory of 5068	4896	net.exe	122
PID 3676 wrote to memory of 4100	3676	powershell.exe	123
PID 3676 wrote to memory of 4100	3676	powershell.exe	123
PID 4100 wrote to memory of 2240	4100	net.exe	124
PID 4100 wrote to memory of 2240	4100	net.exe	124
PID 3676 wrote to memory of 224	3676	powershell.exe	125
PID 3676 wrote to memory of 224	3676	powershell.exe	125
PID 224 wrote to memory of 3140	224	net.exe	126
PID 224 wrote to memory of 3140	224	net.exe	126
PID 3676 wrote to memory of 2304	3676	powershell.exe	127
PID 3676 wrote to memory of 2304	3676	powershell.exe	127
PID 3676 wrote to memory of 3772	3676	powershell.exe	128
PID 3676 wrote to memory of 3772	3676	powershell.exe	128
PID 3676 wrote to memory of 4672	3676	powershell.exe	129
PID 3676 wrote to memory of 4672	3676	powershell.exe	129
PID 3676 wrote to memory of 2336	3676	powershell.exe	130
PID 3676 wrote to memory of 2336	3676	powershell.exe	130
PID 2336 wrote to memory of 5040	2336	net.exe	131
PID 2336 wrote to memory of 5040	2336	net.exe	131
PID 3676 wrote to memory of 984	3676	powershell.exe	132
PID 3676 wrote to memory of 984	3676	powershell.exe	132
PID 984 wrote to memory of 2068	984	net.exe	133
PID 984 wrote to memory of 2068	984	net.exe	133
PID 3676 wrote to memory of 4580	3676	powershell.exe	134
PID 3676 wrote to memory of 4580	3676	powershell.exe	134
PID 4580 wrote to memory of 2100	4580	net.exe	135
PID 4580 wrote to memory of 2100	4580	net.exe	135
PID 3676 wrote to memory of 3648	3676	powershell.exe	136
PID 3676 wrote to memory of 3648	3676	powershell.exe	136
PID 3676 wrote to memory of 3772	3676	powershell.exe	137
PID 3676 wrote to memory of 3772	3676	powershell.exe	137
PID 3676 wrote to memory of 1504	3676	powershell.exe	138
PID 3676 wrote to memory of 1504	3676	powershell.exe	138
PID 3676 wrote to memory of 3140	3676	powershell.exe	139
PID 3676 wrote to memory of 3140	3676	powershell.exe	139
PID 3676 wrote to memory of 3712	3676	powershell.exe	164
PID 3676 wrote to memory of 3712	3676	powershell.exe	164
PID 3676 wrote to memory of 1464	3676	powershell.exe	141
PID 3676 wrote to memory of 1464	3676	powershell.exe	141
PID 3676 wrote to memory of 984	3676	powershell.exe	142
PID 3676 wrote to memory of 984	3676	powershell.exe	142
PID 3676 wrote to memory of 4580	3676	powershell.exe	143
PID 3676 wrote to memory of 4580	3676	powershell.exe	143
PID 3676 wrote to memory of 2880	3676	powershell.exe	144
PID 3676 wrote to memory of 2880	3676	powershell.exe	144
PID 3676 wrote to memory of 4152	3676	powershell.exe	145
PID 3676 wrote to memory of 4152	3676	powershell.exe	145
PID 3676 wrote to memory of 1944	3676	powershell.exe	146
PID 3676 wrote to memory of 1944	3676	powershell.exe	146

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\New-EXE\hardening-apply.exe
"C:\Users\Admin\AppData\Local\Temp\New-EXE\hardening-apply.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\8C71.tmp\8C72.tmp\8C73.ps1
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocklisted process makes network request
  - Allows Network login with blank passwords
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Remote Services: SMB/Windows Admin Shares
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Policies C:\hardening\windows_backup\Policies_Backup.reg /y
    3⤵
    PID:2416
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" C:\hardening\windows_backup\Winlogon_Backup.reg /y
    3⤵
    PID:1896
- - C:\Windows\system32\gpresult.exe
    "C:\Windows\system32\gpresult.exe" /h C:\hardening\windows_backup\GroupPolicyBackup.html
    3⤵
    PID:4936
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /UNIQUEPW:24
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /UNIQUEPW:24
      4⤵
      PID:2020
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /MAXPWAGE:365
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /MAXPWAGE:365
      4⤵
      PID:5068
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /MINPWAGE:1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /MINPWAGE:1
      4⤵
      PID:2240
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /MINPWLEN:14
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /MINPWLEN:14
      4⤵
      PID:3140
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\tmp148D.tmp /areas SECURITYPOLICY
    3⤵
    PID:2304
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /import /cfg C:\Users\Admin\AppData\Local\Temp\tmp148D.tmp /overwrite /areas SECURITYPOLICY /db C:\Users\Admin\AppData\Local\Temp\tmp148E.tmp /quiet
    3⤵
    PID:3772
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\tmp148E.tmp /overwrite /areas SECURITYPOLICY /quiet
    3⤵
    PID:4672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /lockoutwindow:15 /lockoutduration:15
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /lockoutwindow:15 /lockoutduration:15
      4⤵
      PID:5040
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /lockoutthreshold:5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /lockoutthreshold:5
      4⤵
      PID:2068
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /lockoutwindow:15
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /lockoutwindow:15
      4⤵
      PID:2100
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\tmp1B55.tmp /areas SECURITYPOLICY
    3⤵
    PID:3648
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /import /cfg C:\Users\Admin\AppData\Local\Temp\tmp1B55.tmp /overwrite /areas SECURITYPOLICY /db C:\Users\Admin\AppData\Local\Temp\tmp1B56.tmp /quiet
    3⤵
    PID:3772
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\tmp1B56.tmp /overwrite /areas SECURITYPOLICY /quiet
    3⤵
    PID:1504
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\tmp2058.tmp /areas SECURITYPOLICY
    3⤵
    PID:3140
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /import /cfg C:\Users\Admin\AppData\Local\Temp\tmp2058.tmp /overwrite /areas SECURITYPOLICY /db C:\Users\Admin\AppData\Local\Temp\tmp2059.tmp /quiet
    3⤵
    PID:3712
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\tmp2059.tmp /overwrite /areas SECURITYPOLICY /quiet
    3⤵
    PID:1464
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0cce9248-69ae-11d9-bed3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /success:disable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0cce9249-69ae-11d9-bed3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030} /success:disable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /success:disable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "net accounts /lockoutthreshold:5"
    3⤵
    PID:3240
  - - C:\Windows\system32\net.exe
      net accounts /lockoutthreshold:5
      4⤵
      PID:4908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /lockoutthreshold:5
        5⤵
        
        PID:2296
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" stop WazuhSvc
    3⤵
    PID:1536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WazuhSvc
      4⤵
      PID:3524
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" start WazuhSvc
    3⤵
    PID:452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start WazuhSvc
      4⤵
      PID:3544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
- Checks SCSI registry key(s)
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8C71.tmp\8C72.tmp\8C73.ps1

Filesize
32KB

MD5
068b4b99ac40cacba21f7d6bc2a85cc5

SHA1
6c58adda2af228042034d33a3623ab88781ccf96

SHA256
2ec97b58ad70b015c3ce8d22d598460278164b9358867cd8023ef20058b8f008

SHA512
e9ab4a133755a855f0dac10c5008c28c71dab73fceacc500bce02f6a0b285dc514f3eaaefd93ae1f8c900b7b1db292d1f12f68f31417688d24597b51b9f4af1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_log_gumlnlfe_Custom-Hardening-Script-for-Windows10-11-20241119-110120.log

Filesize
4KB

MD5
ed6d9f29a736c01750741df8b478e807

SHA1
8cfbfcda77a90c8c3233bafc9762bb609f1fcc9e

SHA256
98ae1d75fdfb1e54cd3e91c149076f3203782715574805d14dae1fc4da6e8da2

SHA512
6519358f1ce30c897b221620fdae05e64e409136388ae1bf821294bf43d0e87fca487a5402dea9aefbeef745b4f795e29740ab6efbae667615d92e60d05aa2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_gumlnlfe_Custom-Hardening-Script-for-Windows10-11-20241119-110120.csv

Filesize
2KB

MD5
fb2b36362267b05490083d156eb9aaa5

SHA1
18dcf525ebb9f1be573cdfeedaab1b2aee9895d3

SHA256
18532d73dac3572cdc037534bdc984c0fcd25c3a0926ef58c1759704bb6fb17a

SHA512
7aa41544c72e83ddcfddfcd8fd2c31617fff7604112b5ad277ea52416dba8cdc23d8119e014aa89eac0e201de6e0dd3480bdf8f02548bb4ce2b24b051e581a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_gumlnlfe_Custom-Hardening-Script-for-Windows10-11-20241119-110120.csv

Filesize
2KB

MD5
0becf0a57484cf69fb9051a8b2fe6c97

SHA1
9aef813b14fc5c8fa81424cf6b8f845fa382d1cf

SHA256
f0b33d1da61e8b888eee58c69f7de232e49ef521c41895527bf4d6e0db2143c2

SHA512
5460f7d597a29cb583218b191c6f09c873b683d72b9b0cd0bb6e8fb8a3f1a3df394f502d2c8b808a0979b7e4c947c82e584f76b0b9dcac280f61b2d97fd8a19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_gumlnlfe_Custom-Hardening-Script-for-Windows10-11-20241119-110120.csv

Filesize
3KB

MD5
023f960d8c207f99e1e572b2abdaf54e

SHA1
8969c43b3883c3fc28e245a16cacbc89822e3383

SHA256
4312094cc7a4efda28379514deca588d755427175e93a04dd109bd4c41114d19

SHA512
78338b6d1518a2fcc71089074a1b413ee3c0c496c2029eca47f7c94dd680bf9f2d29ea2b7482bf646c29ccd4ec84183c0bca6413b228dc82b1789de050cfbd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_gumlnlfe_Custom-Hardening-Script-for-Windows10-11-20241119-110120.csv

Filesize
4KB

MD5
3fb615d70afc11524ca2e73cdcd7b9a0

SHA1
cb49fd842e60df9f4187edf0d32594d0affe36f2

SHA256
91977dbeee3fca8de2d5d22ec5ccec8123fd3af6ca070eaeec2744108108fecf

SHA512
c8d6f29a04cbefc5996cb9900d7c0ad696a329c0a511bc1fc4e0b4e631aa5d51587a899895bed8a30be946c4cbcadd700108d86d4433e0f7c6c77e1ec478247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_bsi_sisyphus_windows_10_nd_user.csv

Filesize
2KB

MD5
27afc16db763246179b3f601d86cda81

SHA1
0e1350d24c511732758b9bc6f690e5fcc78aef81

SHA256
89387fb7b855e55d5001e85270ef2fbd56b1e39f5b46b7b3cc4af1f8eaee5b36

SHA512
203b233e9de9a1aeceb9b704a10a534ca6c54eeff397035455549712becf40af322d35e765f27418c91bcfd494ed22d42d1a0a326497b068b9e9547c0926f914

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv

Filesize
121KB

MD5
adaa531b517e56cc19a0965e6271310b

SHA1
67bdf5b21862f0ffcfd0e3db9c4538b42710dffc

SHA256
462406995fe5300bdaa507cfd40a9f37edc16e98c090efffa2dce48f5cd90e9b

SHA512
9bda7df7a96a4fd3fa96b703623a75c176ad8a696a18d95b304a59fdd084d035f505eb5eb947f0590c38a77720782c865b532f98804740c2d5a86241e7d8e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_1909_user.csv

Filesize
3KB

MD5
ac050e48fb4b5842c9d457c7d8fe8a52

SHA1
6b884ebb636c04f5cd98bf61d448b1b01113e607

SHA256
7b448336fe9f036189b614e654194054dc7f11550c4e4d93bbaea21705ec676d

SHA512
9998efd70c00195ea0fb91e4c76c9eea32052267e1ef5b524d198bed080fbef184128bae75560d34243e4158ca23bf642c7532dd4fd3b2e01fcd014da6e3cbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv

Filesize
120KB

MD5
a15394435d993a3a2bc70da86b512b58

SHA1
539c6510021752b3222a9c3ee1d898e54bc38467

SHA256
a88393a294c5c6fac1dfc49879cf18dd866d6b9c2cfb5ac5367d7478d4775e7b

SHA512
ffa7d6d80faf48936e8516e616548abd208870c6565e8a16de13848e8a233ebdf78d565ec5f6abc229d9b12493bb20520442b96dde5456a2a9a959d93aebd229

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_20h2_user.csv

Filesize
3KB

MD5
ade0c1b8a2b98096d6a6262b14957b86

SHA1
48882e4a36810038899a67eee641dcfd3ed37c62

SHA256
4d9696bb92efb034c1fae4e68a82ced04614e16f0189ecc75d8d81e74c6028de

SHA512
8262852d50235277cf84510833465346514a4cee54bcf6cd2b9ed76c76381b9d22554c02268762da7cf9ca1c105cba69bd2b15a09fd3e2868af77bda84c8a5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv

Filesize
120KB

MD5
946ad53893a2e5469ed7561fd6560732

SHA1
ad488d35c59fcc3ece1d4f0152f7e92ee0b1babb

SHA256
b1e2576542aec452fbae3a186d1b2ba164c7ab6e4808ae63da07df007e2b64b5

SHA512
1de1c3705e90e3de04c3448476ba1993430a4426c6a52b31bfd63201cc7133f3d139bb60d57a6a163de4038bd5acda2611aee658c042880cef4cc3fba1cba947

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv

Filesize
80KB

MD5
b1a7e9c7ecdc74fc7ded2db849447f53

SHA1
e3bf562c338445ac232dc93ab540aaaa554531aa

SHA256
cb79904efa973587bc75e8369de42cde89dc25b1e4465f4c770c122985a93943

SHA512
9a65e21bfd7c2f46029ffd5ef88888f1847f9bd6a1799d2891f46abeda446491af71468b717fc006cca8f59a21ec022865a6632479e01af3362f151830ccaa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_user.csv

Filesize
3KB

MD5
2ba95e042f1bae6344a82a09ca4e170c

SHA1
0fb85abc13426c8a1bdced932a116151a61c2787

SHA256
595ef25b80147f01af317f712fdbeddb70a23eaa25e16ea05cea0bd5a32af848

SHA512
4dfdc8ae2a32d48e57277ff796ce2f58b2238fd2ca131aa374801d423c5fc889bf7fadc997b4597e50815a8298eddb2f9af0e947cb31a6caa6178fc81d7bf9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_2.0.0_machine.csv

Filesize
90KB

MD5
a654398713fcf2aa38a4adb59b0c1972

SHA1
ac7c2e89b6fafc80c87e0f89e8b8cc7fdae78621

SHA256
e17fd88fe1bd48a787999209352dcc6ee3d61d2fdff4d85ca3c61e0ddc6048ca

SHA512
e2e88a5188b92f40dbefb468a0febb58a566f33e358cde8045ca8d89547eb0ca4a77449200d85af38a03ca9dd0cbba66c67fbc79c8258d6d898e3f886c813e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_2.0.0_user.csv

Filesize
3KB

MD5
5fa627bf74fbccd3b511802dbe34bdda

SHA1
dfa22cd72ae1db098a9d122ab3ff7823cefafd7f

SHA256
f0454ceaffc78ca2f8411574f9c29f1eb3ad2fa2cfee388fba66d37fef0a1496

SHA512
8a10079463f927aedc33a51f66deca6e3e1d425bc9351da20619204f4162de6d59c708779c9827a791b3b281b514e5268f10c4f110b52d09f91e02835618eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_user.csv

Filesize
3KB

MD5
f78ebb58110df53d6409f3569a0e4c24

SHA1
107003b78b51ad672a206f33fe116a2edfa499de

SHA256
3aaa866ab15f466ccb28dfe4f9b3318f67087b1a75ccea5924c59cea60364750

SHA512
61032f8a57b833ae681683d6a89113ca03e1dc641d1eb287af7139941c3eb0c32ac25d3de9f269c280ab9f8c524e7be484753864ebb7c420227b8af0b63ff994

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_user.csv

Filesize
590B

MD5
7ad7e349721acc4ce200f07799e6bccf

SHA1
ebfe75a59509318dd80d334b753b8126f50c4718

SHA256
e792d41ae4f274156e99c5781c6c4b07b200ebcce39e665c8305486517b8cabf

SHA512
c63581dac1099a49b6f29d4132568536a6f2bff8dccdd04244d84abc845d0a3fd0a4e6c69dc7ef7afc626bd539178e493541fd9bfdafc7f09345e2957ce1ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_microsoft_windows_tls.csv

Filesize
12KB

MD5
11e63388034d33b89170d02867c902d6

SHA1
dc1aadbfec33fa6bcb7aeb0eed7991867122100d

SHA256
a30993f356e350c1f1a1958aebe17644d80bfd08af7c8c82cbb357c6238d2bed

SHA512
c7fb89f100b7519b86d816a37bd68cdc4e23f6df2b9551b1b7a404c66eea521d0b08ef3384f5a754c90c26fc3ca5428e10a1d8a1069d5742aa183a6dd3dd4734

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_microsoft_365_apps_v2112_user.csv

Filesize
33KB

MD5
c1f2c8ce68a75665f0a5fb4dc766b121

SHA1
4acce7c0a040b88eafcf7a03acc664d404d8b8a8

SHA256
627f95c45b891948bf729b29c3fb0a1e35b724a629361745c557becb21041009

SHA512
a98547e70d103b81342c358752b6d87e09c35d032ddd8b5124063e480b219be7efe3d767704f46b2791fdde60397719f05dadf4859310395c14ceb4353976285

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv

Filesize
40KB

MD5
a8b06654744917ac7890bbb20f3f011c

SHA1
e312261df900ad52f528344761187c57c98580f3

SHA256
54b6a9e57c812a8c7ebc6be00ca2e7a2ed505f8e5832c6c16b4e337139ed1cbb

SHA512
5ce93d26c1f60d602f230649f599ceaf53da55d2cd4da123a96ea8bb448cd3f6ecea91efbcc2a68483e712ce4a5400bcd691ed624d5494ea360361b6f6800189

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_11_21h2_machine.csv

Filesize
79KB

MD5
025be9ec1a58a4747c7b24b7a24c5926

SHA1
15903dbf7d863af73306bce55b2db9b9925ec454

SHA256
91974f97d9feffbedc06d341a8445e45529c3a5cc0aa41d67b3d987e9a82da9f

SHA512
d421bd026e4d3893d4e23b94f31e11ad3e2d1400d86b9c8fadb4632d9ce2d0a990cea91c9fd01a3be36ba41e43bb6c05f5cc674ac2fe64e18222f873c08178c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_11_23h2_machine.csv

Filesize
84KB

MD5
d81b9be1d1bbbaa173c2aeb3eb19db51

SHA1
22c495e77fac38953635cd7308becdbed9f9139c

SHA256
863dec07457fa13ee6b2da7b636b5a7b70f87128360320acfc13269601ee19d2

SHA512
29a50f1473093cc601fbfbd1c339be9fbc74502d2ababb16950091b81373b4350f63bde429f4d7d6b6a6043ed54500c5684eef78876f490531816c23604a1b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_11_23h2_user.csv

Filesize
1KB

MD5
e866a9a914a197cb84ebcec51d0a809b

SHA1
f4e5d5da15eb0cf68572486b4f867d89d49e9a40

SHA256
787e864490ca57c777f03d00a9eb90d2c75619da53636495ae17f1704dc2d1a3

SHA512
6375620b154f6e729e45d236352bf3253f71932983f9af73b7981cae79d3862f206a45f6009ddc74d9366360d9c62b4fce6475c2c3ff8673fceeb1756dced8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv

Filesize
67KB

MD5
7c9099b4bce3e685408b9b7f7eecefe6

SHA1
563084f64ebd0921c2c117e5c25afe6a34f9e191

SHA256
1a1026858fdaf2b7a56d7d2777bebe41378c150bd6cef8f0533ec330e19c9097

SHA512
119fc2ddaddcccd8b3868fda9e32e8ebff873b1dfd79ec3dc0b511dea4b631eaa2f2b8791b488229662ae596999abf5b1d3df9641c0425faac4498dc7a142150

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGCD04.tmp

Filesize
40KB

MD5
3323c8d5164902a522a7075c8b4e94f3

SHA1
bef9b76ff8d74478efee0f629a5b37e6c70328a6

SHA256
80502b4e53f631d1e883a4131cc0542b3104477278a9af0c7611c5bcbff7cc81

SHA512
4aaab92e471afd81780f560e607bc97171d2cf248e33045dc6b83816138347d184e6da9f5b08f0b41d9591b299f77ef6be7494f99c5c835b424c9b572857c3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGCD43.tmp

Filesize
19.7MB

MD5
43acb422a3170620bc6eb2b563621487

SHA1
196f71b6001efad78b955007040c4e44fb90b886

SHA256
fac47052b234681b40196aac1aef18cb1b68414e00508bef458ac38964210e91

SHA512
826cd9acffad67f6d8f8bb099f0ce1dea87c7385b243df61d87e5f0a681ccb7e4a29c238fd459e8e1713627f039b46f83e07ce40e831361db1220fb68af0d53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbqkqlyf.3wg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce02683.tmp

Filesize
440B

MD5
00a594b29e5d16670a81a56301abaec6

SHA1
2ca51bb66d14dc7be3e74f491ab6970a6d4dde25

SHA256
925282642379281e24c857b04a3f0b97ee5733661888c724b65b2dee73f56c09

SHA512
7d4888ed17123d4d1cb4ca02465245da3f869b1f301937bf206ee73f066c494fb0b59148765436ccc284c2779186ac705bc279ed37a03fc9024c950440822b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce02683.tmp

Filesize
661B

MD5
cecd4d174355a253843848479b334c90

SHA1
5d683525294ef3bd9c1389810ad9120125a2a037

SHA256
d4ce83452e56dfa822a134b67b6f5b9706991971ac5450aa657efcba15619ffd

SHA512
6d57d8dd3001e4106e0b76638916ebfd5665a9e42755893d2155e64b1631ab1743739d60f0d4811aa983f2c06ccab2c39af7987c12652d13dce410f729faab3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce18919.tmp

Filesize
6KB

MD5
f255584dd9d0bab125e21ebbc27087ab

SHA1
df9be9ec3e3721e41a128f8d64d6d707d06a64cd

SHA256
c2c33bdb2e2cd3a222418b04c11a53250f80b3a17a2987e86261d0a4a4164d41

SHA512
757c13b1f7a16b14a01648b5299c62a86bd83c5676a2bbf264f5c8226a37501d8e2db00a5458227f8092273616ec7a0ce251c04d1c09122bb39a0f9164da5b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce31551.tmp

Filesize
6KB

MD5
7e886985dc9cfdfc80715393c38afb49

SHA1
2637a8cb040ed66b48e0df3fbb3b5a0ebfa98b3d

SHA256
aab2840e7040d5efa6c3c146f0d059bb703a6c18fe6e38fe861ce9567c294700

SHA512
a4a41cf5ec0e5212c87045811242673bc89650e389ca00730f5fa747c710af988cc4321b0bd7e01ac97f48db1568baa0f5a33b8aba3a2d4ec27b95e6923b2ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp148D.tmp

Filesize
12KB

MD5
260535666ff7d027c9320ce65a072238

SHA1
d64d1966493d4f62ec8030e36914be08494ab60a

SHA256
d8c7c3c69eaaa4f0865eb1d77a1684e1929d6576c43882033e81df6065f5ce1b

SHA512
2cad60e9c2c87ef1ef4eb58ea0914876766929826db3093e60b5a07f28252f043547cbf816818b5dc1038c17f389c3a4e2b8f84d2551cb2aae45344e07de0a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B55.tmp

Filesize
6KB

MD5
aa230e316d706c6eb553d9d91596f60b

SHA1
96ca2040c31ad4b6ce80dc2b8baec198df494327

SHA256
ded9d459ba83c4df1ddb1ee524256a5f3dc68cfdb28721ae713193720a79a60b

SHA512
3eb22c166adb63df7814e47490e9f545de521772939db6d586e9b73f1624430c505fb0263cc0b1ec9116187cb9d4f54459d89fdef3154f83fb57a5386e51696a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B55.tmp

Filesize
6KB

MD5
ca82d0192e9bc46fa46328efcb691345

SHA1
3856cdd9bfa1c19b895dec3cd57fcdbcae88bcac

SHA256
519112a49845c3e6d42b33624bc4fd4819d9d868c1dc50d2e6ad8d4ced2c16b0

SHA512
35a2bd386128ce93d146b8bb0adfd8977deffbb4e6779cb3cc34f7fcd7de81e97dee1919956d8da2a5bed2a14ab6c3f89f37c6595a1563dae5ee6ef567d0fc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2058.tmp

Filesize
7KB

MD5
f48c00637cfa3e1078a7abff02b27bd5

SHA1
1ee3f911fb21dbda37ed8f9364fb558f1241d053

SHA256
9df06eed219fcea137e9f9ebffdf47eb8cf6ccf050de6292c68bbdf35af33657

SHA512
3081b478a31df7cb8933647f8f8dc4925cb9c846a8d7ab523207d765ee54b8c190708b9cb0591243944250f21e298b1fdd1420e972288b2a3016539ed0334c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2058.tmp

Filesize
2KB

MD5
9ca1649499ba627d955aa1f259a85551

SHA1
fc23833bb30517ce66389740e2684946ce8e9be7

SHA256
289cf1a22edbda37b6845c1693203e77763c8c319ea2cfc984ada003569ff40d

SHA512
6a749b402eca8430433e03173aa0b0e598b218639f9e6bcd39ea506cd0c6cdf9803a8f9f1db2385e9a7769e23ca54af9a785a39f626185840955cfeaf7af7456

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2058.tmp

Filesize
12KB

MD5
3a14f7993d3e70682f41ffd557355faa

SHA1
aefc68bd20d45c98ad69b0ce69b283e0a08feea5

SHA256
4e4e9152f8462bd7e719b34d5b67f188b6c581775af4bff169772ddba3a1f7d1

SHA512
7bfbb689182b77782edd54b2e269cadf85787dd4b62464adeef2877bf1a008fc18cd749f8ae37770f14f198bcaac3f9e9bd701c4b81757c13586c3db3efd237b

Download Submit
memory/3676-37-0x0000028129220000-0x0000028129232000-memory.dmp

Filesize
72KB

Download
memory/3676-38-0x0000028129210000-0x000002812921A000-memory.dmp

Filesize
40KB

Download
memory/3676-1-0x00007FFB41273000-0x00007FFB41275000-memory.dmp

Filesize
8KB

Download
memory/3676-20-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/3676-19-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/3676-18-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/3676-17-0x00007FFB41273000-0x00007FFB41275000-memory.dmp

Filesize
8KB

Download
memory/3676-16-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/3676-13-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/3676-12-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/3676-2-0x0000028128CF0000-0x0000028128D12000-memory.dmp

Filesize
136KB

Download
memory/3676-2900-0x00007FFB41270000-0x00007FFB41D31000-memory.dmp

Filesize
10.8MB

Download
memory/4936-33-0x00000283E2450000-0x00000283E2978000-memory.dmp

Filesize
5.2MB

Download