6b61a90ebc20baa1ee6ea5bc7c4b31c40531616c458b27d19511e4f57f5fbf67

Analysis

max time kernel
35s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-EXE/hardening-restore.exe
Size

152KB
MD5

b265f35aa5b05e01b939a610166c83ee
SHA1

645e47cdc52481fbf267881bbf9626eca67c4696
SHA256

446e8d0ef0fab6b2182b6c4feea580cf6a43ea59bdac1ee364b380bb5d596ede
SHA512

a2e4c8aa4929c2c216b3c5225c5de9b8893a5b9e531f5979f1b5c01523eff364fc58367988e52a6db6a41ec77321513da665e2e474a5b199f24cb991df76c3d9
SSDEEP

3072:wpvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSi3CjTz7dTu:Q9VkhhrdYK94IgqHniOSyaZoc7QNPnPK

Score

10^/10

defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "0"	powershell.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	powershell.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	3672	powershell.exe
11	3672	powershell.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs

Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol

T1021.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "1"	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	hardening-restore.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1"	powershell.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Remote Services: SMB/Windows Admin Shares 1 TTPs 2 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes = 00000000	powershell.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ossec-agent\active-response\active-responses.log	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3672	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3672	powershell.exe
3672	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeIncreaseQuotaPrivilege	3672	powershell.exe
Token: SeSecurityPrivilege	3672	powershell.exe
Token: SeTakeOwnershipPrivilege	3672	powershell.exe
Token: SeLoadDriverPrivilege	3672	powershell.exe
Token: SeSystemProfilePrivilege	3672	powershell.exe
Token: SeSystemtimePrivilege	3672	powershell.exe
Token: SeProfSingleProcessPrivilege	3672	powershell.exe
Token: SeIncBasePriorityPrivilege	3672	powershell.exe
Token: SeCreatePagefilePrivilege	3672	powershell.exe
Token: SeBackupPrivilege	3672	powershell.exe
Token: SeRestorePrivilege	3672	powershell.exe
Token: SeShutdownPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeSystemEnvironmentPrivilege	3672	powershell.exe
Token: SeRemoteShutdownPrivilege	3672	powershell.exe
Token: SeUndockPrivilege	3672	powershell.exe
Token: SeManageVolumePrivilege	3672	powershell.exe
Token: 33	3672	powershell.exe
Token: 34	3672	powershell.exe
Token: 35	3672	powershell.exe
Token: 36	3672	powershell.exe
Token: SeSecurityPrivilege	640	auditpol.exe
Token: SeSecurityPrivilege	2820	auditpol.exe
Token: SeSecurityPrivilege	1036	auditpol.exe
Token: SeSecurityPrivilege	2896	auditpol.exe
Token: SeSecurityPrivilege	3192	auditpol.exe
Token: SeSecurityPrivilege	3784	auditpol.exe
Token: SeSecurityPrivilege	1172	auditpol.exe
Token: SeSecurityPrivilege	1908	auditpol.exe
Token: SeSecurityPrivilege	4484	auditpol.exe
Token: SeSecurityPrivilege	3016	auditpol.exe
Token: SeSecurityPrivilege	1552	auditpol.exe
Token: SeSecurityPrivilege	3136	auditpol.exe
Token: SeSecurityPrivilege	4128	auditpol.exe
Token: SeSecurityPrivilege	1704	auditpol.exe
Token: SeSecurityPrivilege	4964	auditpol.exe
Token: SeSecurityPrivilege	3188	auditpol.exe
Token: SeSecurityPrivilege	4072	auditpol.exe
Token: SeSecurityPrivilege	3112	auditpol.exe
Token: SeSecurityPrivilege	2928	auditpol.exe
Token: SeSecurityPrivilege	3204	auditpol.exe
Token: SeSecurityPrivilege	3652	auditpol.exe
Token: SeSecurityPrivilege	2884	auditpol.exe
Token: SeSecurityPrivilege	3436	auditpol.exe
Token: SeSecurityPrivilege	1308	auditpol.exe
Token: SeSecurityPrivilege	2036	auditpol.exe
Token: SeSecurityPrivilege	1592	auditpol.exe
Token: SeSecurityPrivilege	4500	auditpol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 3672	1092	hardening-restore.exe	83
PID 1092 wrote to memory of 3672	1092	hardening-restore.exe	83
PID 3672 wrote to memory of 4824	3672	powershell.exe	105
PID 3672 wrote to memory of 4824	3672	powershell.exe	105
PID 4824 wrote to memory of 4072	4824	net.exe	106
PID 4824 wrote to memory of 4072	4824	net.exe	106
PID 3672 wrote to memory of 1328	3672	powershell.exe	107
PID 3672 wrote to memory of 1328	3672	powershell.exe	107
PID 1328 wrote to memory of 3800	1328	net.exe	108
PID 1328 wrote to memory of 3800	1328	net.exe	108
PID 3672 wrote to memory of 4592	3672	powershell.exe	109
PID 3672 wrote to memory of 4592	3672	powershell.exe	109
PID 4592 wrote to memory of 2580	4592	net.exe	110
PID 4592 wrote to memory of 2580	4592	net.exe	110
PID 3672 wrote to memory of 112	3672	powershell.exe	111
PID 3672 wrote to memory of 112	3672	powershell.exe	111
PID 112 wrote to memory of 1904	112	net.exe	112
PID 112 wrote to memory of 1904	112	net.exe	112
PID 3672 wrote to memory of 4640	3672	powershell.exe	113
PID 3672 wrote to memory of 4640	3672	powershell.exe	113
PID 3672 wrote to memory of 1412	3672	powershell.exe	114
PID 3672 wrote to memory of 1412	3672	powershell.exe	114
PID 3672 wrote to memory of 4844	3672	powershell.exe	115
PID 3672 wrote to memory of 4844	3672	powershell.exe	115
PID 3672 wrote to memory of 3112	3672	powershell.exe	116
PID 3672 wrote to memory of 3112	3672	powershell.exe	116
PID 3112 wrote to memory of 1848	3112	net.exe	117
PID 3112 wrote to memory of 1848	3112	net.exe	117
PID 3672 wrote to memory of 3208	3672	powershell.exe	118
PID 3672 wrote to memory of 3208	3672	powershell.exe	118
PID 3208 wrote to memory of 2172	3208	net.exe	119
PID 3208 wrote to memory of 2172	3208	net.exe	119
PID 3672 wrote to memory of 3280	3672	powershell.exe	120
PID 3672 wrote to memory of 3280	3672	powershell.exe	120
PID 3280 wrote to memory of 3664	3280	net.exe	121
PID 3280 wrote to memory of 3664	3280	net.exe	121
PID 3672 wrote to memory of 2896	3672	powershell.exe	122
PID 3672 wrote to memory of 2896	3672	powershell.exe	122
PID 3672 wrote to memory of 3708	3672	powershell.exe	123
PID 3672 wrote to memory of 3708	3672	powershell.exe	123
PID 3672 wrote to memory of 724	3672	powershell.exe	124
PID 3672 wrote to memory of 724	3672	powershell.exe	124
PID 3672 wrote to memory of 4596	3672	powershell.exe	125
PID 3672 wrote to memory of 4596	3672	powershell.exe	125
PID 3672 wrote to memory of 1328	3672	powershell.exe	126
PID 3672 wrote to memory of 1328	3672	powershell.exe	126
PID 3672 wrote to memory of 5028	3672	powershell.exe	127
PID 3672 wrote to memory of 5028	3672	powershell.exe	127
PID 3672 wrote to memory of 640	3672	powershell.exe	128
PID 3672 wrote to memory of 640	3672	powershell.exe	128
PID 3672 wrote to memory of 2820	3672	powershell.exe	129
PID 3672 wrote to memory of 2820	3672	powershell.exe	129
PID 3672 wrote to memory of 1036	3672	powershell.exe	130
PID 3672 wrote to memory of 1036	3672	powershell.exe	130
PID 3672 wrote to memory of 2896	3672	powershell.exe	131
PID 3672 wrote to memory of 2896	3672	powershell.exe	131
PID 3672 wrote to memory of 3192	3672	powershell.exe	132
PID 3672 wrote to memory of 3192	3672	powershell.exe	132
PID 3672 wrote to memory of 3784	3672	powershell.exe	133
PID 3672 wrote to memory of 3784	3672	powershell.exe	133
PID 3672 wrote to memory of 1172	3672	powershell.exe	134
PID 3672 wrote to memory of 1172	3672	powershell.exe	134
PID 3672 wrote to memory of 1908	3672	powershell.exe	135
PID 3672 wrote to memory of 1908	3672	powershell.exe	135

C:\Users\Admin\AppData\Local\Temp\New-EXE\hardening-restore.exe
"C:\Users\Admin\AppData\Local\Temp\New-EXE\hardening-restore.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\948F.tmp\9490.tmp\9491.ps1
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocklisted process makes network request
  - Allows Network login with blank passwords
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Remote Services: SMB/Windows Admin Shares
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /UNIQUEPW:20
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /UNIQUEPW:20
      4⤵
      PID:4072
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /MAXPWAGE:42
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /MAXPWAGE:42
      4⤵
      PID:3800
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /MINPWAGE:0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /MINPWAGE:0
      4⤵
      PID:2580
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /MINPWLEN:0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /MINPWLEN:0
      4⤵
      PID:1904
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp /areas SECURITYPOLICY
    3⤵
    PID:4640
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /import /cfg C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp /overwrite /areas SECURITYPOLICY /db C:\Users\Admin\AppData\Local\Temp\tmpD070.tmp /quiet
    3⤵
    PID:1412
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\tmpD070.tmp /overwrite /areas SECURITYPOLICY /quiet
    3⤵
    PID:4844
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /lockoutwindow:14 /lockoutduration:14
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /lockoutwindow:14 /lockoutduration:14
      4⤵
      PID:1848
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /lockoutthreshold:Never
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /lockoutthreshold:Never
      4⤵
      PID:2172
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" accounts /lockoutwindow:14
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /lockoutwindow:14
      4⤵
      PID:3664
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\tmpD61E.tmp /areas SECURITYPOLICY
    3⤵
    PID:2896
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /import /cfg C:\Users\Admin\AppData\Local\Temp\tmpD61E.tmp /overwrite /areas SECURITYPOLICY /db C:\Users\Admin\AppData\Local\Temp\tmpD61F.tmp /quiet
    3⤵
    PID:3708
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\tmpD61F.tmp /overwrite /areas SECURITYPOLICY /quiet
    3⤵
    PID:724
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\tmpDB41.tmp /areas SECURITYPOLICY
    3⤵
    PID:4596
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /import /cfg C:\Users\Admin\AppData\Local\Temp\tmpDB41.tmp /overwrite /areas SECURITYPOLICY /db C:\Users\Admin\AppData\Local\Temp\tmpDB42.tmp /quiet
    3⤵
    PID:1328
- - C:\Windows\System32\secedit.exe
    "C:\Windows\System32\secedit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\tmpDB42.tmp /overwrite /areas SECURITYPOLICY /quiet
    3⤵
    PID:5028
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0cce9248-69ae-11d9-bed3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0cce9249-69ae-11d9-bed3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4128
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\System32\auditpol.exe
    "C:\Windows\System32\auditpol.exe" /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "net accounts /lockoutthreshold:0"
    3⤵
    PID:5156
  - - C:\Windows\system32\net.exe
      net accounts /lockoutthreshold:0
      4⤵
      PID:5144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /lockoutthreshold:0
        5⤵
        
        PID:5136
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:4072
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" stop WazuhSvc
    3⤵
    PID:2948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WazuhSvc
      4⤵
      PID:5712
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" start WazuhSvc
    3⤵
    PID:5736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start WazuhSvc
      4⤵
      PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Password Policy Discovery

T1201

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\948F.tmp\9490.tmp\9491.ps1

Filesize
48KB

MD5
a58cbf8282dc35e100b322d16ebf5354

SHA1
1ae87e7826b0f9f61a7f7a2ca7c707956a5b406e

SHA256
2a5993e4046ddb7052b0417a7448051b21c8d7bd51dcf9f777a96c9146919404

SHA512
c41f7e155b88cae0e513f4bd02d9cecda2a9ff3f1b2620e94dbe2525e38beccf18684c2883b5e65532361d4a3056e1c42a671caf8e6bec4ac91a9681b81fe488

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_log_utkbeblo_Custom-Hardening-Script-for-windows10-11-Revert-20241119-110054.log

Filesize
4KB

MD5
fff2393f0cd3c3799cb420619e997924

SHA1
9d0095a857a5033fef4991874b4395b8bc7fdd28

SHA256
feb8fe8bbaca58ac6f07e9709b16e63e303fa752997ce92d2aef3f75462c5edd

SHA512
366ac3a6ae9a09abda3023abb479a14d65e0bdbdce388a4ebc208857cd91705e4d7c57f54725b7d266ad5e1938390878ce80aa97383db6d660a62250d3c7d7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_utkbeblo_Custom-Hardening-Script-for-windows10-11-Revert-20241119-110054.csv

Filesize
3KB

MD5
231c971ac23a5af168c5e9f81dd5078f

SHA1
65f6d99badfa9f7a170a8e4c73ada81eb8fd607a

SHA256
84ee8ae7c90f20647601482296013216e634f22c0f8ea5bc0246a45d8abdb438

SHA512
0f1fb6105bac1777d29689ee29d92b40d9ee353d1ffd41d439a151d92103ce7037f0f7297bc413091760012039510bf6a8fa800f7f531ab4fc53ce0c92bd67cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_utkbeblo_Custom-Hardening-Script-for-windows10-11-Revert-20241119-110054.csv

Filesize
3KB

MD5
43b5f307cf67b18c3457e00fc7a44118

SHA1
8ca252cf3e9ea6c3a6ce0d6e047d4a94cb70cce4

SHA256
7b8fc420949671577b8d4a60eee5c2a853cddae9a5e2d1f3ab917122940ec4ba

SHA512
e2cf0fa9850a6edce4ffd2169267df35562c3f30e64c9382a4fd460ef2c6b7765245e9eb511ceff256feb8c87d472da174e5e376f6551c7c27f2ed9b80471d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\hardeningkitty_report_utkbeblo_Custom-Hardening-Script-for-windows10-11-Revert-20241119-110054.csv

Filesize
5KB

MD5
baa026b3d291f63fcf56a519119214a2

SHA1
2b4860c0e61705cd9f0867ea1bf58f8e160ab515

SHA256
efa783b44db705e5da62c942afb3037d912377aa86c6f04c21a23e2aa3c2bd5b

SHA512
29f5d6bd82c2828c0e4415535aad1d61a083cdb4dbb347e41fe0965c70ccfc21d7e6e88154ba276febc5f6526b48339e22c66c63b01b9986d205d1af58067bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_bsi_sisyphus_windows_10_nd_user.csv

Filesize
2KB

MD5
27afc16db763246179b3f601d86cda81

SHA1
0e1350d24c511732758b9bc6f690e5fcc78aef81

SHA256
89387fb7b855e55d5001e85270ef2fbd56b1e39f5b46b7b3cc4af1f8eaee5b36

SHA512
203b233e9de9a1aeceb9b704a10a534ca6c54eeff397035455549712becf40af322d35e765f27418c91bcfd494ed22d42d1a0a326497b068b9e9547c0926f914

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv

Filesize
121KB

MD5
adaa531b517e56cc19a0965e6271310b

SHA1
67bdf5b21862f0ffcfd0e3db9c4538b42710dffc

SHA256
462406995fe5300bdaa507cfd40a9f37edc16e98c090efffa2dce48f5cd90e9b

SHA512
9bda7df7a96a4fd3fa96b703623a75c176ad8a696a18d95b304a59fdd084d035f505eb5eb947f0590c38a77720782c865b532f98804740c2d5a86241e7d8e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_1909_user.csv

Filesize
3KB

MD5
ac050e48fb4b5842c9d457c7d8fe8a52

SHA1
6b884ebb636c04f5cd98bf61d448b1b01113e607

SHA256
7b448336fe9f036189b614e654194054dc7f11550c4e4d93bbaea21705ec676d

SHA512
9998efd70c00195ea0fb91e4c76c9eea32052267e1ef5b524d198bed080fbef184128bae75560d34243e4158ca23bf642c7532dd4fd3b2e01fcd014da6e3cbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv

Filesize
120KB

MD5
a15394435d993a3a2bc70da86b512b58

SHA1
539c6510021752b3222a9c3ee1d898e54bc38467

SHA256
a88393a294c5c6fac1dfc49879cf18dd866d6b9c2cfb5ac5367d7478d4775e7b

SHA512
ffa7d6d80faf48936e8516e616548abd208870c6565e8a16de13848e8a233ebdf78d565ec5f6abc229d9b12493bb20520442b96dde5456a2a9a959d93aebd229

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_20h2_user.csv

Filesize
3KB

MD5
ade0c1b8a2b98096d6a6262b14957b86

SHA1
48882e4a36810038899a67eee641dcfd3ed37c62

SHA256
4d9696bb92efb034c1fae4e68a82ced04614e16f0189ecc75d8d81e74c6028de

SHA512
8262852d50235277cf84510833465346514a4cee54bcf6cd2b9ed76c76381b9d22554c02268762da7cf9ca1c105cba69bd2b15a09fd3e2868af77bda84c8a5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv

Filesize
120KB

MD5
946ad53893a2e5469ed7561fd6560732

SHA1
ad488d35c59fcc3ece1d4f0152f7e92ee0b1babb

SHA256
b1e2576542aec452fbae3a186d1b2ba164c7ab6e4808ae63da07df007e2b64b5

SHA512
1de1c3705e90e3de04c3448476ba1993430a4426c6a52b31bfd63201cc7133f3d139bb60d57a6a163de4038bd5acda2611aee658c042880cef4cc3fba1cba947

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv

Filesize
80KB

MD5
b1a7e9c7ecdc74fc7ded2db849447f53

SHA1
e3bf562c338445ac232dc93ab540aaaa554531aa

SHA256
cb79904efa973587bc75e8369de42cde89dc25b1e4465f4c770c122985a93943

SHA512
9a65e21bfd7c2f46029ffd5ef88888f1847f9bd6a1799d2891f46abeda446491af71468b717fc006cca8f59a21ec022865a6632479e01af3362f151830ccaa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_user.csv

Filesize
3KB

MD5
2ba95e042f1bae6344a82a09ca4e170c

SHA1
0fb85abc13426c8a1bdced932a116151a61c2787

SHA256
595ef25b80147f01af317f712fdbeddb70a23eaa25e16ea05cea0bd5a32af848

SHA512
4dfdc8ae2a32d48e57277ff796ce2f58b2238fd2ca131aa374801d423c5fc889bf7fadc997b4597e50815a8298eddb2f9af0e947cb31a6caa6178fc81d7bf9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_2.0.0_machine.csv

Filesize
90KB

MD5
a654398713fcf2aa38a4adb59b0c1972

SHA1
ac7c2e89b6fafc80c87e0f89e8b8cc7fdae78621

SHA256
e17fd88fe1bd48a787999209352dcc6ee3d61d2fdff4d85ca3c61e0ddc6048ca

SHA512
e2e88a5188b92f40dbefb468a0febb58a566f33e358cde8045ca8d89547eb0ca4a77449200d85af38a03ca9dd0cbba66c67fbc79c8258d6d898e3f886c813e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2016_1607_2.0.0_user.csv

Filesize
3KB

MD5
5fa627bf74fbccd3b511802dbe34bdda

SHA1
dfa22cd72ae1db098a9d122ab3ff7823cefafd7f

SHA256
f0454ceaffc78ca2f8411574f9c29f1eb3ad2fa2cfee388fba66d37fef0a1496

SHA512
8a10079463f927aedc33a51f66deca6e3e1d425bc9351da20619204f4162de6d59c708779c9827a791b3b281b514e5268f10c4f110b52d09f91e02835618eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_user.csv

Filesize
3KB

MD5
f78ebb58110df53d6409f3569a0e4c24

SHA1
107003b78b51ad672a206f33fe116a2edfa499de

SHA256
3aaa866ab15f466ccb28dfe4f9b3318f67087b1a75ccea5924c59cea60364750

SHA512
61032f8a57b833ae681683d6a89113ca03e1dc641d1eb287af7139941c3eb0c32ac25d3de9f269c280ab9f8c524e7be484753864ebb7c420227b8af0b63ff994

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_user.csv

Filesize
590B

MD5
7ad7e349721acc4ce200f07799e6bccf

SHA1
ebfe75a59509318dd80d334b753b8126f50c4718

SHA256
e792d41ae4f274156e99c5781c6c4b07b200ebcce39e665c8305486517b8cabf

SHA512
c63581dac1099a49b6f29d4132568536a6f2bff8dccdd04244d84abc845d0a3fd0a4e6c69dc7ef7afc626bd539178e493541fd9bfdafc7f09345e2957ce1ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_microsoft_windows_tls.csv

Filesize
12KB

MD5
11e63388034d33b89170d02867c902d6

SHA1
dc1aadbfec33fa6bcb7aeb0eed7991867122100d

SHA256
a30993f356e350c1f1a1958aebe17644d80bfd08af7c8c82cbb357c6238d2bed

SHA512
c7fb89f100b7519b86d816a37bd68cdc4e23f6df2b9551b1b7a404c66eea521d0b08ef3384f5a754c90c26fc3ca5428e10a1d8a1069d5742aa183a6dd3dd4734

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_microsoft_365_apps_v2112_user.csv

Filesize
33KB

MD5
c1f2c8ce68a75665f0a5fb4dc766b121

SHA1
4acce7c0a040b88eafcf7a03acc664d404d8b8a8

SHA256
627f95c45b891948bf729b29c3fb0a1e35b724a629361745c557becb21041009

SHA512
a98547e70d103b81342c358752b6d87e09c35d032ddd8b5124063e480b219be7efe3d767704f46b2791fdde60397719f05dadf4859310395c14ceb4353976285

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv

Filesize
40KB

MD5
a8b06654744917ac7890bbb20f3f011c

SHA1
e312261df900ad52f528344761187c57c98580f3

SHA256
54b6a9e57c812a8c7ebc6be00ca2e7a2ed505f8e5832c6c16b4e337139ed1cbb

SHA512
5ce93d26c1f60d602f230649f599ceaf53da55d2cd4da123a96ea8bb448cd3f6ecea91efbcc2a68483e712ce4a5400bcd691ed624d5494ea360361b6f6800189

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_11_21h2_machine.csv

Filesize
79KB

MD5
025be9ec1a58a4747c7b24b7a24c5926

SHA1
15903dbf7d863af73306bce55b2db9b9925ec454

SHA256
91974f97d9feffbedc06d341a8445e45529c3a5cc0aa41d67b3d987e9a82da9f

SHA512
d421bd026e4d3893d4e23b94f31e11ad3e2d1400d86b9c8fadb4632d9ce2d0a990cea91c9fd01a3be36ba41e43bb6c05f5cc674ac2fe64e18222f873c08178c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_11_23h2_machine.csv

Filesize
84KB

MD5
d81b9be1d1bbbaa173c2aeb3eb19db51

SHA1
22c495e77fac38953635cd7308becdbed9f9139c

SHA256
863dec07457fa13ee6b2da7b636b5a7b70f87128360320acfc13269601ee19d2

SHA512
29a50f1473093cc601fbfbd1c339be9fbc74502d2ababb16950091b81373b4350f63bde429f4d7d6b6a6043ed54500c5684eef78876f490531816c23604a1b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_11_23h2_user.csv

Filesize
1KB

MD5
e866a9a914a197cb84ebcec51d0a809b

SHA1
f4e5d5da15eb0cf68572486b4f867d89d49e9a40

SHA256
787e864490ca57c777f03d00a9eb90d2c75619da53636495ae17f1704dc2d1a3

SHA512
6375620b154f6e729e45d236352bf3253f71932983f9af73b7981cae79d3862f206a45f6009ddc74d9366360d9c62b4fce6475c2c3ff8673fceeb1756dced8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-EXE\main\Hardening-windows-main\lists\Windows\finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv

Filesize
67KB

MD5
7c9099b4bce3e685408b9b7f7eecefe6

SHA1
563084f64ebd0921c2c117e5c25afe6a34f9e191

SHA256
1a1026858fdaf2b7a56d7d2777bebe41378c150bd6cef8f0533ec330e19c9097

SHA512
119fc2ddaddcccd8b3868fda9e32e8ebff873b1dfd79ec3dc0b511dea4b631eaa2f2b8791b488229662ae596999abf5b1d3df9641c0425faac4498dc7a142150

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5r1pb20.u1x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce29301.tmp

Filesize
7KB

MD5
a2877265b7fac12b68cc2ebce394f515

SHA1
c593bce2731ad5717caf6a41f3a6929073a5caea

SHA256
bfe3fd2f717808b34b17e4c7263d602e6fefb8751ee0251ce55592a5cff242d1

SHA512
913f4fc1449c0e7cead3946416ff8a16b3460b579193e0bda02ce6d225968091be58db61830873707f5dbe4c80c3b0d88802480a6c81d6edbb983bce2f6ed12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce65649.tmp

Filesize
6KB

MD5
a79b3ba35e2abc40c71c4bfac8827b99

SHA1
68dd910edc961cfb229e403dec9cb1145ec91d05

SHA256
720faf8f6d144ce7b90f2f708dfe739100332b7aafd7d339cc442879b4f50129

SHA512
fa8730650e56bbab70313985aab3b3139772acb07cf4a1491f1087f92a1bed96c0d8cd983a47fea528ef35700f03c5edbcc1135a1ed929651f7eebc028b4c6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce70328.tmp

Filesize
1KB

MD5
c836bfdaa61be3314d12d501cb7f081f

SHA1
3638a04b3ff43359ac777f8b34a0c0b138bcfd94

SHA256
4420beaa5537d6869863db3cea6ed26fde7e4996c04936f5018846a2df109915

SHA512
9676d4557b290bb67098c3be20eabe090d658f4405d182c2a172a159c40e85b3c3a45c01f7cd9011b46ed0da1b48080841588b4eb669f949a75409a08894c224

Download Submit
C:\Users\Admin\AppData\Local\Temp\sce70328.tmp

Filesize
6KB

MD5
f20205a23585810c2d81faebadeaef5d

SHA1
7b125a59625b5b6cb04411d3515f20710531a2ab

SHA256
ff617dffb4c51f1b641fbd863bdae223f881ca6b7e6692e641f5ab2938207e18

SHA512
9b4e4bf9b8e86206bb0dd660f39f9cdfc3afa2a788bd440078bfd2e12431de981a365c2f1ff8f14d0b970636f2686e37067171cdca109b8e61500ba832b01c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp

Filesize
7KB

MD5
99d7d8dafcd906cde348e9f295f6f787

SHA1
6668cf114d900a473418617e358dc5fa23dec414

SHA256
982b712b38fd5196c2196bca63111b9b98b01be3f7627d55a01e70c7a46f0ab8

SHA512
0d76fcd83af0e99379e310e4d1ece0a2fa4dcb557a387801170affbc007143d04386fff363fb00fdbff1216365703f63091f419769b2dc0932a599f5db22069b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp

Filesize
5KB

MD5
6672c5fea727c4bc66c6b7f81df9f2e4

SHA1
59ddee18047097c05bcaf3a17856a9ed23411512

SHA256
99695a26ee81e99eb632e4a4f99c8025a1a3df8d0d9f16a5fd3195033147156a

SHA512
bda067eb04d38dacd9813e034a5b093c736ad30adfd630cb66672850db22a8f30da0882b0373bf640513382f2a15da0f61b4bcce0eed841ec1b881573969bff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD61E.tmp

Filesize
2KB

MD5
73fe0cbdcb96f2d1287f4175a8aef5b0

SHA1
7851d78331060c3cce1d221faedc7fa7c4018140

SHA256
5b73fc7927d1380e04799458d1fe41d6b207fcdadaf09f38986dbaa6e374391d

SHA512
07e730ebd9de3e0da7aeece476c998fbe31b4a6e2edb08a0d2be1f1ff548237f5da059ca987f44edd937817bbfd32cee1c3531ae9f1c34dab15edd2b4338a0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD61E.tmp

Filesize
13KB

MD5
775b8ceee8dca24c2484f06b2721c5fe

SHA1
a4385f8227cb1ecbeafa5d6f5f23fbc02d3bc4b5

SHA256
9b4a3644b439147d11288f813372ea46a743974361684f065876b19822ce6569

SHA512
5eda9ff4210ef1fedd65a4154505e334c82b1994e8547358aa0b025a8375a104ff75eda6c11a3c73ed709c24377665f2085dd325a0c1e1e9d69ed6d99e8aa552

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB41.tmp

Filesize
5KB

MD5
eb0de1ab5e53b6bbe7eb69e20822ce4c

SHA1
ec07d03624d11a1295e9b69bf2758e260ef79fc0

SHA256
3c6af8791b8b5d6affa896fea31df7577bb800e187c9a4a6dcf99dced06fe53c

SHA512
a891e310eaeb1ea534f9d9bdbddd11dd44672f4e50e8d69536ca19f1d30e3b8fa8f82ca4da39ea7c03fabdb191057bd42877820b64870582e9a3fe3d128cfc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB41.tmp

Filesize
7KB

MD5
5068a100e56f382378f78952ba089ce1

SHA1
8d96bdf7efb4a2b62e7cabd284b0bf2d36975e05

SHA256
28e0a08724279d1c360c67203df1744aecbe6541c573a681807ce6fca655ee70

SHA512
4f2507408d55c34f85365af3fb298138925eee0872aaf4c7fdae9e0ad9102b00906f27cc5651113343e739995806a05ddfbce00bd7cbe32e1023df9da8b52ebf

Download Submit
memory/3672-13-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-131-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-19-0x000001DD92700000-0x000001DD92712000-memory.dmp

Filesize
72KB

Download
memory/3672-2-0x000001DD92670000-0x000001DD92692000-memory.dmp

Filesize
136KB

Download
memory/3672-666-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-16-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-210-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-14-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-1-0x00007FFD36353000-0x00007FFD36355000-memory.dmp

Filesize
8KB

Download
memory/3672-20-0x000001DD926F0000-0x000001DD926FA000-memory.dmp

Filesize
40KB

Download
memory/3672-28-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-21-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download
memory/3672-18-0x00007FFD36353000-0x00007FFD36355000-memory.dmp

Filesize
8KB

Download
memory/3672-2876-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

Filesize
10.8MB

Download