d50ebf3a3a55e22195e53edd557618e2d9b0d4903a14bae33dcd1351e16590a3

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
13/05/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eleven.exe
Size

245KB
MD5

fe7e313a10d6c8b7f3520851a31b479a
SHA1

af28d7f96404be348f5d8f354169ed0d7ad5660a
SHA256

d50ebf3a3a55e22195e53edd557618e2d9b0d4903a14bae33dcd1351e16590a3
SHA512

9cafc803381301cc73a781f21fb63c3c27b4cdb60bf0857c03b2a4661cbc5a2aa20d069e44fbb9bdd76626093e38b4b770facf93e6e9e6c63ce8b774620f569a
SSDEEP

6144:Nx/LcTEyF1dH3VOVw44UOisbaxHUsAxyOzk9jAUdubJ:MBREcUkHxy8yAb

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Eleven.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Eleven.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe

Blocks application from running via registry modification 2 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Eleven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Eleven.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gmreadme.s0s	Eleven.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	Eleven.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Eleven.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Eleven.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\icsxml\ipcfg.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Recovery\ReAgent.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\@WirelessDisplayToast.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\sppui\phone.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpitime.s0s_amd64_4456a4584af0a603\acpitime.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\@VpnToastIcon.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ieuinit.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Error.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\cmnicfg.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ras\switch.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Eleven.exe	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\3ware.s0s_amd64_408ceed6ec8ab6cd\3ware.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\@AppHelpToast.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\NdfEventView.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\DefaultAccountTile.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.Format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\F12\Timeline.cpu.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipagr.s0s_amd64_a661407420d5cf84\acpipagr.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpi.s0s_amd64_1facf5c0b549e8ff\acpi.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\potscfg.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.s0s_amd64_e483b4d6fbab8545\acpipmi.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdgpio2.s0s_amd64_808fe94735c4c6b3\amdgpio2.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsbs.s0s_amd64_e2a1e49127fb17ef\amdsbs.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.s0s_amd64_55014eff4ceefbdf\athw8x.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\getevent.types.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\audioendpoint.s0s_amd64_cf61c05bbeae918c\audioendpoint.s0s	Eleven.exe
File opened for modification	C:\Windows\SysWOW64\Eleven.exe	Eleven.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Event.Format.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\@AudioToastIcon.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\slmgr.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp80xx.s0s_amd64_efb36fdc260e8bc8\adp80xx.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.s0s_amd64_b3d75f82c617ac6a\arcsas.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\@EnrollmentToastIcon.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsCodecsRaw.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ras\pad.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\wbem\xsl-mappings.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acxhdaudiop.s0s_amd64_a72f89b4d7876048\acxhdaudiop.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\wsmanconfig_schema.s0s	Eleven.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpidev.s0s_amd64_62eee5ffb4fab318\acpidev.s0s	Eleven.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7167.tmp"	Eleven.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-80.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-64_altform-lightunplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-125.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-lightunplated_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-unplated_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintSmallTile.scale-200.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-256.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare50x50Logo.scale-400.s0s	Eleven.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-lightunplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-250.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Graphing.targetsize-32_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-20_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-100.s0s	Eleven.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40_altform-unplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-100.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-20_altform-unplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-32.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-150.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-200_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\inifile.targetsize-256.s0s	Eleven.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\VisualElements\LogoCanary.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-100.s0s	Eleven.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-125.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsBadgeLogo.scale-125_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contact_us_3people.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\AppxManifest.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadMedTile.scale-100.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_Watercolor_Thumbnail_Dark.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\AppxManifest.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-100_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_BlueMountains_Thumbnail.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-unplated_contrast-black.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-200_contrast-white.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-200.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-96_altform-unplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_3color_ServiceReservation_378_Dark.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-150.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-80_altform-lightunplated.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare310x310Logo.scale-150.s0s	Eleven.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.194_none_15db8cfb1c6a6b33\logo.targetsize-80_altform-unplated.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.22000.37_none_9fb69ca862f02d04\NetworkDiagnosticsVerify.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\common-listview-vm.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\retailDemoLocal.s0s	Eleven.exe
File created	C:\Windows\INF\ksfilter.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\media\oobe-intro.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ementwmi-powershell_31bf3856ad364e35_10.0.22000.1_none_3f8d8d758c7d1fcb\Storage.types.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\NarratorAppList.scale-100.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds-dm_31bf3856ad364e35_10.0.22000.1_none_9e4e3d24776cddf1\Windows Background.s0s	Eleven.exe
File created	C:\Windows\diagnostics\system\Power\Power_Troubleshooter.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.194_none_15db8cfb1c6a6b33\UpdateRestore.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\ProvisionedApplicationsWhite.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\smalllogo.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\Assets\SplashScreen.Theme-Dark_Scale-140.s0s	Eleven.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Exchange.Theme-Dark_Scale-400.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_hidtelephonydriver.s0s_31bf3856ad364e35_10.0.22000.348_none_934999e5d3556c91\r\HidTelephonyDriver.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_28babea403fb06cb\Square44x44Logo.targetsize-20_altform-unplated.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\oobe-light-progress-template.s0s	Eleven.exe
File created	C:\Windows\WinSxS\x86_netfx4-cfx_core_sql_files_b03f5f7f11d50a3a_4.0.15806.0_none_817ee68927563552\SqlWorkflowInstanceStoreSchema.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\gatherNetworkInfo.s0s	Eleven.exe
File created	C:\Windows\WaaS\regkeys\7d06486ae99beb45ced199480ddff358d347c849.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.22000.1_none_a3e51f070f511641\PasswordExpiry.scale-100.s0s	Eleven.exe
File created	C:\Windows\INF\hidi2c.s0s	Eleven.exe
File created	C:\Windows\INF\ndisuio.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\Square71x71Logo.contrast-white_scale-125.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-onecoreuap-wlansvc_31bf3856ad364e35_10.0.22000.282_none_3e060dd677ae570d\Rules.System.Wireless.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.22000.65_none_d600b69a2b616bce\MicrosoftFamily.scale-400_contrast-white.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.22000.1_none_320485a967710068\WiFiNetworkManagerWarningToast.scale-400_contrast-black.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.22000.1_none_e8a0f20bd3d53965\StoreLogo.s0s	Eleven.exe
File created	C:\Windows\diagnostics\system\PCW\RS_ProgramCompatibilityWizard.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_hidcfu.s0s_31bf3856ad364e35_10.0.22000.1_none_267bae0f86cfb447\hidcfu.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile150x150.scale-100.s0s	Eleven.exe
File created	C:\Windows\SystemResources\Windows.ParentalControlsSettings\Images\MicrosoftFamily.scale-400_contrast-white.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-64_altform-lightunplated.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms011.s0s_31bf3856ad364e35_10.0.22000.100_none_c07698c3eed47050\f\prnms011.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars47.scale-200.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984\SFPATRS1.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\fd6598122489ab56bffaf7f6676165c57428611a.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\oobeoutro-page.s0s	Eleven.exe
File created	C:\Windows\INF\defltbase.s0s	Eleven.exe
File created	C:\Windows\Panther\diagerr.s0s	Eleven.exe
File created	C:\Windows\INF\net8192su64.s0s	Eleven.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedMedTile.scale-400.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.22000.1_en-us_940927a09ae3f621\Report.System.Wireless.s0s	Eleven.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_security_b03f5f7f11d50a3a_4.0.15806.0_none_05efee0c25166f78\setUpAuthentication.s0s	Eleven.exe
File created	C:\Windows\INF\mdmomrn3.s0s	Eleven.exe
File created	C:\Windows\INF\netl1e64.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.22000.1_none_9f994bec1559e1ba\RatingStars43.contrast-white_scale-200.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.22000.1_none_9f994bec1559e1ba\RatingStars49.scale-200.s0s	Eleven.exe
File created	C:\Windows\INF\athw8x.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-explorer-shortcuts_31bf3856ad364e35_10.0.22000.51_none_99f76de22cbda898\Run.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..stencemigration-net_31bf3856ad364e35_10.0.22000.1_none_01f45f85a08060f0\MSFT_NetTeredoConfiguration.types.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_en-GB.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_xboxgip.s0s_31bf3856ad364e35_10.0.22000.100_none_677657c80d26d435\f\xboxgip.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tings-windowsclient_31bf3856ad364e35_10.0.22000.1_none_d08f2366c88c9e59\windows.uif_ondemand.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bitsdiagnostic_31bf3856ad364e35_10.0.22000.1_none_a28f9e18295bf6f5\RC_BITSRegKeys.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..sservice-powershell_31bf3856ad364e35_10.0.22000.1_none_e8cedc56dfc8136e\SmbWitness.types.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-150_contrast-white.s0s	Eleven.exe
File created	C:\Windows\SystemResources\Windows.ParentalControlsSettings\Images\MicrosoftFamily.scale-400_contrast-black.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_hiddigi.s0s_31bf3856ad364e35_10.0.22000.1_none_bc53a426425cce32\hiddigi.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-printtopdf_31bf3856ad364e35_10.0.22000.1_none_d87392e24b550bc6\MPDW-pipelineconfig.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_netfx35cdf-cdf_sql_files_31bf3856ad364e35_10.0.22000.1_none_f870dbcdd6502660\DropSqlPersistenceProviderSchema.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_netfx35cdf-cdf_sql_files_31bf3856ad364e35_10.0.22000.1_none_f870dbcdd6502660\SqlPersistenceProviderLogic.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-explorer-shortcuts_31bf3856ad364e35_10.0.22000.51_none_99f76de22cbda898\3 - Windows Explorer.s0s	Eleven.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4948	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Eleven.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\PowerShell	Eleven.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\PowerShell\EnableScripts = "0"	Eleven.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Eleven.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Windows\PowerShell	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3308	powershell.exe
3308	powershell.exe
716	powershell.exe
716	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	Eleven.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4852	Eleven.exe
Token: SeDebugPrivilege	716	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3308	3112	Eleven.exe	78
PID 3112 wrote to memory of 3308	3112	Eleven.exe	78
PID 3112 wrote to memory of 3308	3112	Eleven.exe	78
PID 3112 wrote to memory of 4948	3112	Eleven.exe	80
PID 3112 wrote to memory of 4948	3112	Eleven.exe	80
PID 3112 wrote to memory of 4948	3112	Eleven.exe	80
PID 4852 wrote to memory of 716	4852	Eleven.exe	86
PID 4852 wrote to memory of 716	4852	Eleven.exe	86
PID 4852 wrote to memory of 716	4852	Eleven.exe	86

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe

C:\Users\Admin\AppData\Local\Temp\Eleven.exe
"C:\Users\Admin\AppData\Local\Temp\Eleven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "Windows Update" /tr "C:\WINDOWS\SysWOW64\Eleven.exe" /sc MINUTE /mo 1 /ru SYSTEM /f /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4948

C:\WINDOWS\SysWOW64\Eleven.exe
C:\WINDOWS\SysWOW64\Eleven.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\show_third_party_software_licenses.s0s

Filesize
320B

MD5
afeee17d2c3c0a5c1827eb04e1634dbb

SHA1
f57b097048bcccfebf2186271cf4016d63753d23

SHA256
edab44318426fe5c541c464aa79959a0f5f4fb9654741b3e955a06ca75678013

SHA512
60af20ff863d98c7fd723f6bc88e3a2c55c73d8f5a39f39835a046e5f53321300e087fdd83c9010b30240a2dc5244cf53aee578859f9a9c033d312f54dc53bb0

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.s0s

Filesize
192B

MD5
ed0af3a4d56612a322e9cca80899c772

SHA1
d9390f58a738f8ead0a777bfaf94171ecb64b067

SHA256
ba73593d42d94fcf99fe906a1f86897b27ab14ca8210e2642f2d09725fb366bf

SHA512
9a0ef337facab941a7454536a8f05cc914f8993d471d7b17944869225ce03f16f5e6d9d89335f54e797c28b6ea39491e95ce1c4b97fa617eb3bab796a3bfa851

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.s0s

Filesize
192B

MD5
a170bc892abff7fc7f309e53c1431752

SHA1
55324b544388891c658c5cb2b0f6fe4c8e9bb6b7

SHA256
48e0dc24ee3ccba7f21bf4fe25a278dcb90e3e7d73894e5a49935499b82f05be

SHA512
337b9c87d6972019dfebeec59e5879fa7f23934d11ac8c4ecce38860e0d58b9ed9fc3ee75c0cce732ade4e8486b179eb8e150def4e001d29db34da19f8a9c984

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.s0s

Filesize
48B

MD5
efbfdfc8a4831b93dc96d86b91c810b6

SHA1
90b5fb89f413bbb22a2cf7d55c4cbcf7639235c1

SHA256
81feaca089a0ed42bbf92abd68cd9e59a3f38bb2456465cae50f66e8a219c4c9

SHA512
07488ddaa5236c649d37c26c1ad11bfca5d537512f419524ed661528a2f436389e94272843762f444ce581da5dba4b1f468ec28845168853ee46c6cbbb3bafee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.s0s

Filesize
333KB

MD5
bd5a09a5537b1b218305b4069c77b9c3

SHA1
d9b90880c1cdc1dd0de319b60cca03ff2ba80cab

SHA256
54c474b48b5df816f0693a0de5ef5c02dc4b078f4d912237a25cd1b51b1f331c

SHA512
51c63eb157909511b97d3bee80297f26aff4192c1d48804958fecc40399f755d859c3c2205c79da83e4ab57b0afdd7e268ba1831a2137da5a3a488754b9ab7b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7c9f4f74-3094-4814-8e9d-c3da99452c7d}\0.1.filtertrie.intermediate.s0s

Filesize
16B

MD5
8b6174b915f739c1c9f3ffd16056b663

SHA1
14ce561e085828e8d29120af5e61fa8c76438120

SHA256
92810fc1d064507a328c34eaa18e7ec990eec023afa114c90331601c16d0fd0c

SHA512
f7bd5079f9e2fcafdfde9d1461318ac50a5999926b263e2276b8b2fc52d1515daa10d6ab94f387b6e3d35c066004e44f16c6621fb47d344cd93b4656d2f8eedc

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7c9f4f74-3094-4814-8e9d-c3da99452c7d}\0.2.filtertrie.intermediate.s0s

Filesize
16B

MD5
58d730d71c9194cd0fc2c3fc4ce869c5

SHA1
58df2056b36435d33582f8a41b96803ff03a32b0

SHA256
198b0f02fbf58fee533102d71c2085fadeea9f66881663f9028b554ece49a8cc

SHA512
9f8cc0a05f2b18649538344c89319263db0b7e7f7aa476b6e86a54c8e384654d0cc09653b17ff3ffec2a3450acc203be1d1401ed9de3e07fdf0da9b938cfd2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_is2jsejs.rbp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-100.s0s

Filesize
4KB

MD5
6b32edb9b4a53dcf22499499faca9cfd

SHA1
13e7601f6392c6d88589077d02125bd2e040c369

SHA256
9ab29f535c12df554b1a94140c2b052a10a62177e91eea2ca02cf2b433db67b1

SHA512
dd2afafa7115aec061f09f3aab6a8cbd04995062986dd2e8831546a7671f5f58b6a9efdde14b0f06613f0aaec733ac6efe295f3bc689d31799e45c4779936b5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.s0s

Filesize
6KB

MD5
3e8fde93b6f7726a2423e727ab50810d

SHA1
234e407f904d286ff2cc3d784a814e2882281213

SHA256
51786da78691ee048ccc4faa50380dd50c1ec13dc636920acfb636e0e1e1fbba

SHA512
4fc10a74c8d0026b42e72fc55c65671cc017d1da02623b08b37ca2245b7b131ae31f6630e30ddba0b2f8ddacd751d4dcac10565905e22343f2456d5e3f6a6f3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.s0s

Filesize
13KB

MD5
a80c2904304b7d1516eaf1d0e955fad6

SHA1
3f78aea783d3c43302eaba7d4085dcd7cb681c30

SHA256
c78ef8f8587ec601db442a0e04611b01d8f1f8280f16a2a5027d4f3a56f01885

SHA512
e92b0179caafefb22b9cf8d138dcf494628d3327bd0e6c4ce7c423d207bc94af53826280fd56dc468c2a3d0eef0348b8e49ac6e2ef51b46f809c873aaebeb03a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.s0s

Filesize
3KB

MD5
dcbed7557f4cc1f81c271e2c340a0658

SHA1
27082d703cf4c6ae8b94b6c1144d88f9ca5f41ad

SHA256
0c92a4d5caa1f169523371d7ddefe21d7923a3345f110ebefbb90e9087717144

SHA512
714647db227790686f639cb370c8fb2738672d0a50813205b6e9c6151b503c869a255b326a168b30bbb5f80f7b3c81f50dc0c33df91dbcd11346b9bf57294572

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.s0s

Filesize
6KB

MD5
07db7f8fb2ef0deb26a8996f75d2303f

SHA1
5706fde8c02ee15df5ba816109c7cff860a93421

SHA256
a2c9e79768fda90aad3a53a34cdf8290400daa92cd6a82e6c56af6d363462ea5

SHA512
4b72377705513db290189af0356a6901d38891a696aca986e816a801c7bf0f6a82318626099b5b43ddf93603fdedae0027330463a01b5d66db09af24fe3ed14b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.s0s

Filesize
10KB

MD5
11556dc95ac02154495370f517e6210e

SHA1
d4663d58cb5e01254bcc304197d1fe487e85c4e3

SHA256
aca9479bc579c5cecdcc6e7744c34d9d2ca7a4ef527f6b79a79f8248c46c6ed7

SHA512
f8405f479724d5880f7a692376c3f81b7fa75ffaa692410afef13f9772f9f4d2c6212df74357a4c3be8aae39220676e06a44d18a630c26ba8b0176414cd4d5e9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\default.s0s

Filesize
4KB

MD5
2ed445eeb958b696c39ccee4b7b404d3

SHA1
a8989a77b505540b83179255dba42518608191ae

SHA256
459ec9a9f122f9632b721f2ad41a171d929b2506949492c17754ed045214def6

SHA512
fdfdb280743b643a463f61538a5dde819a338f8193e19c20f074fa3061d33cc2ff237f7b84454e40a1fc503c190b554a6bcac9afe55e4cea23116fd0e25f51e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\error.s0s

Filesize
6KB

MD5
ddce8525c87d54b0a306427fa46499d5

SHA1
4815d22ad75554d75b5979cb5f41b8d1cdbb863e

SHA256
6d0c0b5ba10b7672159beba4c77f65bd9892dbb6c2a0d65a345688f84f1b3933

SHA512
b6dfd353272f3e76586c50bc5e1acee6546b935a3d658958f5b295c608c728ee4bbaee4ecc245097c4af6a4d72b74e21a4460dfe403bc0bfb8e17773378e3981

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home0.s0s

Filesize
1KB

MD5
1af675517c45581b1efa63bed3f9c2be

SHA1
8747a386fb02d92ec6cbae2299a042e8f262ccc5

SHA256
194374753306bb3ff2d2caac44b0f458d89d5166f8105f689f8a9bacfebab3a8

SHA512
737fcc07e309fa4954f521fb7c0a3b28fd8919c9b31089a5676b0e3519d4e2ecfa747103f5ffa5388bebfe1e4ff0ab4532688eed0d988bc4771bef59fd11a7d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.s0s

Filesize
752B

MD5
3061714769499c85248da1ff8619dc18

SHA1
5646d5084cc3a786898d4c5e37af241f872b80b3

SHA256
ddd60a27805316e2318c32e9ad5933e1e71f487072cfb41f1d619edc8c3a39d1

SHA512
4638df9369c729491e66191ac482933f62002ccbb349a059c23a7027f5b3eda711a0118c18f8cecf28b19262edca2510f89aaf0fff128d2a4ad51e1f91b676cc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home2.s0s

Filesize
1KB

MD5
f40b412f52ec12ae39e6c022e7d73c77

SHA1
f95ff49a73061ed7d166ae106d2d05f845171fb6

SHA256
09f992c52dd3be72cfc922a2cfb2dcb238624206d672fd81de68ff66dc7c0e15

SHA512
d8c7707776a910a1f16f0fd1752310162b9e765ae3172c77c992dad20decf9b752ac0b991931742db07444ebe5dff4e58cd8fdaa49a2d0ca433c2d6463049dfb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.s0s

Filesize
68KB

MD5
8bd86321159631c3d92ee454d0355ff2

SHA1
3ab480ded663d9313bba26c97d6d695165896a51

SHA256
afd9f3f8f051a51886ff7bd47672297028a85b7190140dfb5b836fdee8cbe64d

SHA512
7b1f209c9bcbf697107819796cf3072b970f723f124b24700ac07522fb05e8b3206ba2084aa3536255abe47e940a3fef8bdba648afc4c256eed6319ab5776c36

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.s0s

Filesize
24KB

MD5
5fbef33d41cd116a2093fe42bf820d61

SHA1
267f5c5806a8fa957991619157f7271cd6b84d93

SHA256
c3ba8b8ae1d878f1084cf269f3ea3f1d5dd909dd22ae10df247983582a719cf1

SHA512
460707246dc3a54e02a8f995106af406890455c992cde4a508b27cbda5d7fa3ec642cfb86059339a6a5864087289fd8a1631484aabf3e26ca9dec9495c3ef7df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.s0s

Filesize
54KB

MD5
56eabf9a028f0e16e4f603d19e5857d3

SHA1
700c7ddc05652a5870599dadfaf2306014936c04

SHA256
94f99b8763fa2d6b76068e5856efc49db165745260fb51d1e0d4b6b36d294e1b

SHA512
75faabee1c03e2d4f5cb4ffd96dc5ae53a9a5e28405136ec6659816f45451ea49b9d849aca28106e86b7a6d9aea1e6c0ec312c56de366a117df7eac47910b569

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.s0s

Filesize
51KB

MD5
1b9fe3e9958dda142f1542b8188c16d7

SHA1
8ce8bb777f66e79cf2825f49f12274e60338348e

SHA256
a9a8dfd70025b0eb563d1b0c6e46c3e376504d4b3826e0d4ca7f8adb3a0c7a41

SHA512
c1d2efd6960bab5a36df814e0c69606d810424a602e94ec6ea5cc3ff46f44b66a038c385ccff70f186f141820d28ef12ece20960b7c46a08999d765886f5f06c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.s0s

Filesize
34KB

MD5
c741f973fc24c216fe8c8876a5e1faf6

SHA1
6e2b6c1c0fab84e83faff50d8d1363afc8c363a1

SHA256
9881c5e6b2f071f8506e597802b61bef115e4ac09689a4956357bfe27365edcb

SHA512
a8d6d935672abe11dbda28b8866010a39f24b34fc2fc43b7edadae4df77affe0a1fd527f95c41a163aa45d878a0dfec9daef4b712c16b591b5f8ae99b871d12e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.s0s

Filesize
33KB

MD5
75a10ea6c5af4c5c5f9a56e16a9faa8a

SHA1
67d7963c7cd8964a13252cc5c356aa6640438a07

SHA256
9efa23cda0b8839e4168012753af87dafae9ff250392d9c2e241756c7ae3eb34

SHA512
1136e84f59d432d14fe79827b9aa6f99aa88b871dbdad2339502e9e59b27c2f0ff1761de681de24306327fac19a008b335c6bf9f495d6994ad122abe7f011a76

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.s0s

Filesize
50KB

MD5
034abd5f6439c25f8b85806997f5dd19

SHA1
208ff68614262a5df0431eac52f78e4dbd97b4f9

SHA256
198f253620e4c5a55179b38f099f2772f204c1c539a2b87a4d4a01e8c25edfbd

SHA512
12868bc3ca238240e8c641e7dd87b3a46626adc4c9f6787827a48fa3f3b8ba78181f836039d54d2e224ae90dee3b77a426dfe2a2647e2164c81fb84eb466be0e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.s0s

Filesize
52KB

MD5
6a57b6bf53d5919eea04913f1389f63b

SHA1
37e4d9b668014b2a097751007bb890a4cc4d53b8

SHA256
5a25ed582442778144bff128f2c0ae8f0fa0e25d880fc32ccd9a3ee825c67487

SHA512
541f9d2d89bf40bc97a75bc8753d519a0a9570b1eee545854e9e4c29295f9e022ad99c0341df15334efb4ae91a2711504f78f1bd486e47e71ba25ef7fdf01a4b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.s0s

Filesize
6KB

MD5
f8947939b6cb230161e3c5f3ffc527c6

SHA1
a7d50db89ad5f9abcb039f5f0deaf8cf717bd384

SHA256
8fa26cd7ebd72f1f76757809c8d8793e4532ed03a513e95a94545d306190c352

SHA512
25326c25d3071d4d18bc924e70abce01bcca84eb5b75516b13bd4b5be7358fcc2022c6a18f0456aae1763d5370b363891e2c86d80649f32fd3a0ef533cdb8a72

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.s0s

Filesize
3KB

MD5
5fe9c1f7aede79edf8584e2180853fab

SHA1
041bb44ec83f7c92e5d883eed0ec78661ae55a49

SHA256
e190898218ed2d96561760d9fcffdfb961120a9527136c59990a5a8654d1e25e

SHA512
7a49ef1fe9fe979b849badc2751903fcdc20037a345a014a19698feed511c00d5f1bc55cb88cae2b69a870fc4d4b50794870107f6ee09132279ebb03503f2c8e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.s0s

Filesize
6KB

MD5
70dbb69c9ae578ba12cdef1c88d7511a

SHA1
693218dbd46b598b0ce238304ad7d248d04a953c

SHA256
19dc37e7587293e517830f37a1bf111cd6677102f34707f6049edefddc9097ec

SHA512
b00165d6d95d9fe8d5aa81de4763b1dce04f5a534c6d0decf0e7b88d457662dc4d68d0f1b364d82a6ec4b0ef21c60cf25ee097e307a7b7fb64ff97ca381dddfe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.s0s

Filesize
9KB

MD5
b83ecbdbc5861c5f6fa3c03a8f955ea7

SHA1
1d9aba2e506c74e271e14863b0e3b2262c02f384

SHA256
971e24255a8df49d82ed6de2f0eda7f3240b0d793e28a98c9d214c0d435d4596

SHA512
204780324e0e56b66c34e9384577202afa855181aaf7f73f9d6a49455a2634af02a12b513bbad40e4da0106674c7cc8f04e28aeda5034f079ea38cc812b38e6b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.s0s

Filesize
7KB

MD5
a27b3286355283157d89e718557b34da

SHA1
0a4ba7a208f19907d71ad6f8c3501514f1570a76

SHA256
813d981b875adfb869d72b4560e59e7485deb09d95a346d2bc0a223aaa2c41d8

SHA512
421e045d5eaac1930d87d000d482baf4e8fa92c8007b0fe3a3990bc11b7d6fd9aa00cfb142f9d10210c064370970072361c7decc389cb4fee5e4e54c48a300b8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.s0s

Filesize
5KB

MD5
787d4de3d9f43c99cb1637fe27af1e32

SHA1
b0b91d785bc769082d4e5b247e78b40a8abfc71f

SHA256
cfbc426ac55b3c136828fbfee7e32684dc4e37c1bd0ad2bc3bb6a4585d82e1f9

SHA512
9eb442a7b55cabf6b4016c7695158cf290cf5725bdb800cf7fb43d79d05aa0c89d34063c75b98fccebfd9befdcb84f1754051c6615a45b1efa58f10bf14a9231

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.s0s

Filesize
9KB

MD5
e209b57e0f6302e62ad7fc936fe6578b

SHA1
c443e3e4987bdd97393b2c1e38c6101bfa44515a

SHA256
980fc28394638183efbc32d5acb3606b66a737fdf2fed94319b895b37f5d5538

SHA512
e1bf8c05a018464287d14682fb679bc79fb454401efb6696f27fafbc3d3fd8baeeee3c6d900a20b9351a7da3442068e948635e0a95a85e0ea3a6a63d604d340e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.s0s

Filesize
11KB

MD5
85954e725f428aca08ee626f0d32d0db

SHA1
7ea685b974024dde540909beaf89f6e37db0b961

SHA256
e3f240d266599873ca20787680a6bc96f3f808e9f507b376fa44f2a32a76471b

SHA512
fe5e2b1d075dabe58864d5cdc166002ba04bc95051d9bc4cede5c50924f8e3339d38a14054f0ba3a05a6d4f50c65139dfa44dd59c6531131156ba1905b0d98c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.s0s

Filesize
2KB

MD5
85c4ff8b78278f9096df5bdf8340538b

SHA1
d455987d13d16ddfb2594da0c8ab2cadc9fa070d

SHA256
62204b15efad19937eb79fed7aee09e915c3117ff347c833bf93a2a1c0e11d99

SHA512
50e3f331d6946d1c2fadb7e0b4e9a687f85e2f9bc58ffa7f4edcd5e61a9f4872ed5f0b3bf73ae2e504381043fabcfffb02e2223b22868fc3a25fb28af4f9c036

Download Submit
C:\Windows\PrintDialog\Assets\splashscreen.s0s

Filesize
2KB

MD5
67b3138c14cc5f6ef63815d501238bd5

SHA1
ffe87e5db9d05f8fb6961664addd5b3a6f4b27f5

SHA256
e33bb419614278d77181a91a33c9a414a522a2d77d0f0ed91550a57bb37e9d98

SHA512
e83671d6dd9e582c28278f83c8e83b3ea274aa7407bf98505918d5286310a999ed21804ae9def37f479f19eff0d79eadf9e8e58bb4b4818018140fcbe1d01379

Download Submit
C:\Windows\SysWOW64\DefaultAccountTile.s0s

Filesize
28KB

MD5
0d8fcbb7d1e17caca662a353d210b096

SHA1
640c59814a72747f2eff7a194cbc713d09da0b7e

SHA256
6c5063c7dd533bcc872fc5f6afc51ade953d856eac71b17f1ebafb372a50b963

SHA512
5ef316d369113074ee19e52f7248f80225932da26fbce0d31596562941628deb10cf67b2191b2dceeb2b96d31a4f63d9ea34caad1f700fb9d8f879c6be328e53

Download Submit
C:\Windows\SysWOW64\Eleven.exe

Filesize
245KB

MD5
fe7e313a10d6c8b7f3520851a31b479a

SHA1
af28d7f96404be348f5d8f354169ed0d7ad5660a

SHA256
d50ebf3a3a55e22195e53edd557618e2d9b0d4903a14bae33dcd1351e16590a3

SHA512
9cafc803381301cc73a781f21fb63c3c27b4cdb60bf0857c03b2a4661cbc5a2aa20d069e44fbb9bdd76626093e38b4b770facf93e6e9e6c63ce8b774620f569a

Download Submit
C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Assets\StoreLogo.s0s

Filesize
480B

MD5
5442d58f26db70b9d7fcc59f9feefdbc

SHA1
132716044b1e51217150859bd3e3783117972c93

SHA256
b87499772fb4733464b1940612592d10cb227c106af5e51777679a048024fbd2

SHA512
9939c15c91ed81da2420e9103cf51c0fc8197e5c2b6f645d8165f464329e606b1d6045b6933f17c692305af6ee23420be53d2d2b69522fe3b1abdde6b9c76258

Download Submit
C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\SplashScreen.contrast-white_scale-100.s0s

Filesize
80B

MD5
8f46c50448e83d7e286be1cce3f6a325

SHA1
def1dbdceecab6a4c385b9fdbdf612b0fb029f3a

SHA256
e5a5085ee103082af4ed08a245ebab5b2cff3362de6cf0a9a0e710b14567aa35

SHA512
d7c4590f10351ad0b4768272dbe0943de399fd1c6f9275949eefae63dbcea434cb3603336732f1dfe27b391ddb43473630b9a6ba6d8f7e73df5312eef721d89f

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-400.s0s

Filesize
3KB

MD5
2a75e0ed3b6a441a0ab2ca1e5868d3a9

SHA1
8deb1de6dddfaf736e7ad3537b2698e995f896bf

SHA256
46e8bbde3f377e596e67bfe282d1bc20694da7e2026ba3742b59c8d2a1a4edb9

SHA512
2ff6d8993c1151cb73f6d235b03d902aec7f2e765231f9d490cbf21771821d91835576a482465a4caa2daa0e4e17d79696901d19c78b21232f156eb42c247b3d

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SplashScreen.s0s

Filesize
1KB

MD5
cbbc9d1bd3a4c44104d7b76f3c4afe0f

SHA1
a02a1332b4b72f7f31960655818ed84da6890dec

SHA256
6e981210c3a5cbb0c78c1be1979c329aee9a22742b5ead817405f723abd5bfe4

SHA512
7eb9970321de4dc95fce867821f797238fc9f12af389aabd58e95f203a374671c76ba86a69ff222ba796dd75ff12c3288eba1b19778ca8bbb9502e3b4d6378fa

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-24_altform-unplated.s0s

Filesize
320B

MD5
938f77b713ffbf3dc096f0be81775c52

SHA1
adb3853e6e2b16a2fb510eb13a20b88875e3342f

SHA256
287567ffa824c0a3f7e1c11695a06d9defb8e231d265dce485f65db14872aaa8

SHA512
44edc5b2bac884ea666a28e44cc284fdd9c19585cc53b1e1ea3658bd5ceef240e166f66f2a9bbee1b3ba0dc5a920d67a1e59edf9ee61ee36a99c322328c3e269

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Wide310x150Logo.contrast-black_scale-200.s0s

Filesize
1KB

MD5
4492acbf363f70a65f8e048ae0b757ff

SHA1
beeaaa287687e3c2afe162d593acc3d2afa0702e

SHA256
8edc0d913452963184ce0703db3ef9963e41f896806cd53326354346b89561c1

SHA512
76c359c8d8659b8c13ef29544b7304e5fd42d4e327dbc987ba80854b5c44df02b4ce8b9a8f86d58ad16fee4f68746e82faf80e41fac166e83a95c906064006b6

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Wide310x150Logo.contrast-black_scale-400.s0s

Filesize
5KB

MD5
95e83aeed35b29ff91a020a2ab9f6138

SHA1
ce5f26508d33879cd7f05ee542316f0342a14bab

SHA256
57d48cd066c9380e8c344e39fb0d3c868e758eb5e6c5e7b2d23ec4b1968e5e24

SHA512
72cf28ce55f450e5aec26b2f642193dc29d8df3423b9cad44c75946cd9910a563a84d9e5355c33eb7e4a193f824fafab6560d63bed3135445327d0d90c0afd0e

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-16_altform-unplated.s0s

Filesize
816B

MD5
625889a83735722121cab195991ea2e2

SHA1
49addc7949f9bfdfce3f9b841d4de3a6c2743d51

SHA256
32478bfdeb936ae7ada33c7e2c807612034f090b579e8299c1807a1a2c959b45

SHA512
82f1ae9c77124abd7c158466aa24e5622d40842646c6f8d63b161376418a70c7813b574ead8e6a6cf3ff0217f109acb1dccf7a6c5fa3dac545437371b8b2132f

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-20_altform-unplated.s0s

Filesize
1KB

MD5
7bb1cfb12f9a01dd470f083cd1d796e0

SHA1
93648d8262cbfe951bcf4ca23dae9ca53f51fae3

SHA256
82b8b42e77aff00ebd6c2d1d8b7aa3adbd563f3ffdc43a266a33998460ea94fd

SHA512
22db27275ce3b70cad56ac77de6fa5ea20f75686211d8bed8e6398eb469fb271c8e9fe002a66bc1ee0a4396e9f649ede1680517d4ab7191d646ce0d5edaa0dff

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-24_altform-unplated.s0s

Filesize
1KB

MD5
fc1d4f3d87d69ded36e68b8d06345c48

SHA1
b283e625cefa0964c2d3aba89a5a32e170d83bf9

SHA256
4da7a021dd60929a8af846b2e90189ae7d6daf83f241de12bb239b75be7485db

SHA512
93eaabd3be946f87b6b561388b4a5679666ad98bccb3db6aa124675a418560975bedb46173fa1081b596165c4737ee2114534066864a451da3800d12ae0fe39c

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-256_altform-unplated.s0s

Filesize
24KB

MD5
61db4f19b38d00e42d7d178243500ddf

SHA1
a3498d0eb6786f036d43dcbbc51bff42d62a31de

SHA256
4da6abdb3c9c7162ef1313dbf1e3fa02551662e84356f41c5f4a686958b0c429

SHA512
43dde17da6753f786dcd30f6a7e599eb2b0c1e4df09b8e1db1e867dedaca0e8817db0b07b79d85d588adacf048f3f79cbaca180b69e0d36a89d58311af89be75

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-30_altform-unplated.s0s

Filesize
1KB

MD5
918aebb14ef996d16ff57a3ec30ec18e

SHA1
a62055dca2238c06e393385320ae554dd6d34ba9

SHA256
3871899d59119e35d25d1726866a6377f6444b2f5b285d784adf2944e7a11608

SHA512
e229da88ca2d29da15ac99d1ed1ad1d04a4c68c757d8f21948aa746691cb375628153e4e27f60ccf956712a098a00da6ec2739ed67efb98f6c6deb3d1efbc93e

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-32_altform-unplated.s0s

Filesize
1KB

MD5
f8e7d74eb84423197595c0fde527af20

SHA1
f9f7f26519e7cfc6338fde97a1ebddfac3ae3095

SHA256
4dca93048cd77a7221ad3d7c9cd6740631c0bf97021c89050b6a136857705360

SHA512
4f692a4e8a18ed5ddce215b219dcf26b0b89bbcb4bd60d2da5c716b53ad3ad8888811b5f15e0e5202fa1f25d05e11c6c790f7924f623d829501f2a75c8ee8048

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-36_altform-unplated.s0s

Filesize
2KB

MD5
e88ccc75339578c60915af3a36fd13b9

SHA1
79f19cd31873e8b81f9852cc2028b76d511d2d1c

SHA256
39e916e8fed61fd67114d15f3570bd0f78a7e169a481ecc816e0d05773284c4b

SHA512
e4cd1c14e06565cb7c6e777df34d7ac0917b06c2df4ffe0356d3aedee974de95c1a816de0eb3d783b9e34a4b6eae567fb0d7aa8e63b5ffea12d03fd407ebaf7f

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-40_altform-unplated.s0s

Filesize
2KB

MD5
937a922801825264ecb2a6d40f8167e0

SHA1
3101515ebaf36b681f1f693f0fbd9f72c84f7c42

SHA256
e27f5506b58866838440caa19b756a6182323635b8ab15f1394dc6c58e29573a

SHA512
bf3d9e2f1d4773cd850804d301561196d35ffdf033864e1bcd0b2459820accb14ae815bc123a1c4903cd0035da616059212f792fa1afbe1b3a5644b8f7572b1d

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-48_altform-unplated.s0s

Filesize
3KB

MD5
d6bd44b9518ad5129d13fedd3ca54888

SHA1
fd67311de3eedee2c645d088df5ceb40d0d1444a

SHA256
8fc39a4a33b2cba3507d7550e08f0bc6b72de9d0b2119ed545a0ffcf717d510d

SHA512
0e887dcc43e549f9464e9f8178f4e608b20b827ba9636ad6e3b3bf0faba07bf634a60eb00f1b96f2392de6e0216b9f5d0c9f6f3c390e3b1ea68133140cd660a6

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-60_altform-unplated.s0s

Filesize
4KB

MD5
e691b8f36b5422607d7d89ad4bb66341

SHA1
d78c47449f96829ba7cc8aa2bee910122873cae3

SHA256
0f8e31b0f39c57929d93733dd5bb8db05bde6fa1d276e6d7e638093154af7e13

SHA512
35369847bd9ac6d00bbd80783b6593bfe7b7fa8a5889593bc16e6746beebf0acb95ba7110be85695a44e7061ee88663e112343d77eb0a5c31ade2f652a2b25f3

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-64_altform-unplated.s0s

Filesize
4KB

MD5
260e109d302061bcc3624222803c1c14

SHA1
da06259172dfcfc9b13a52d22e7f0606ff5542da

SHA256
b57d4561aa981037b2356c44fe3d8647c4b48fa805235120fe4a6d160e8f3334

SHA512
14a30e6b13394c24c390ffb971fcd9c714bc1f7dbd69aa771506ad2bc5122465a136896227a98db5b99b3cee4bdd0c8e705d102471f98bf2e1f33ba5f402968e

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-72_altform-unplated.s0s

Filesize
5KB

MD5
8fd1760b0ad2032a17631616dc21f07a

SHA1
aae96982f1b3c0626248e62b10afa63681137d2d

SHA256
eb9c7a476dd6c8518b5e39c07c63dd36ab9d67bf165e05b22f85ecddf7bc317f

SHA512
78a23e9901cbee4223ded9dddf528b561e3906ce24c91edce6e51408b8809e104230002021ddca483247ba2e01e01105752b26a697228de73f3a117233772c1d

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-80_altform-unplated.s0s

Filesize
6KB

MD5
8f3a93fb3ce7e284df3ceedbeffe7006

SHA1
2990fb67ce88f02a92ad2e20d915990dc56b5630

SHA256
050a748d4c7696ea95f14f08e11939a635ba81d9981e2e5819e650035ecf7147

SHA512
11f832ebf74c24634876eb37c5e117c626bafc004092704036ccbacb8dd2aa2be83f1f26ee81f80f3bb50e891f12f3232d77ebd4cc39eda536be1d8a0e548967

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-96_altform-unplated.s0s

Filesize
7KB

MD5
e52f8e2c69f2c6afee041ae5181f7a05

SHA1
15ac1d50af8d7e36a73f4ea76bb5452bfb450d89

SHA256
53982c83a256fd1a6390251cc2610f57d3af78b1beff21e7427def6e1c8bc73a

SHA512
c6f6708d6795ed7ea1c5f244f99ff8713932b86de8005c9adc2ae1e3625e04121724e7abbc24a4ec0a32b1a58b213d723d9959186a93c2e556f90273a4fbc407

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-16_altform-unplated.s0s

Filesize
560B

MD5
4ea7dc18e5ed3fbe262079fe20fd5b0b

SHA1
aec44d945fef25f9fc062cf04608681eefdc6d67

SHA256
2eef54dcbd802a14abf106a4875550fab799e4feba62577fe66c8f9ccaf7f6d7

SHA512
67312535497742f9cd3fb994445b5fabed7f5594f0f753d10149861bbba39069bbb8048157d02e41475ce0689c0eef9cb2313bf2ce92d52ec37bd3f3cc19d2c8

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-20_altform-unplated.s0s

Filesize
688B

MD5
2993d56a763082d72a45f4d4c93a13bb

SHA1
4accfa81f0992b94fa5ac9f1c0a05f6b2128cca7

SHA256
bd090655e3ac418018c516a34826f61557047832c645934ee133558e52162d39

SHA512
2cb19f099e4ebcce0d6298fc47a7ba56886ed5ba1999189bc00b5eecd808229a80a10f37cc3248e9ce5d2e3b2fa8a0c39e5ebc509e0ab88188c682f41079f706

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-24_altform-unplated.s0s

Filesize
816B

MD5
0a1e07eeaa0da64d9a6672a4296c1c94

SHA1
aff5ad7ee15c4e5a7f0c7b63c5c2c3d46d3bff51

SHA256
4749e0f34a7645ed70a6d9894a3ffca8f18f7a04075057523486979667188d3a

SHA512
ef5c4056f0981803932acee3e6f7f76eeca1cc19becfbd4409618ba23172d7e0a25e46373c313b0f4cd99b1171a70b4081843ad6113038a205cd3e5beb769af6

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-256_altform-unplated.s0s

Filesize
13KB

MD5
928860f012d75f93cec14d6ee6b9cca8

SHA1
1be9957c575a4d15fe4fe8825e21a10cfbd5618f

SHA256
f3bb950e0d3568df432ba1cf6aa751a725bd60214e1bb1b34fe7af64e0e3ddc1

SHA512
a400dbcb58cbd5ca3a5b08acf8fa66ca253e81b987769329a9e0b0b8c863a796e17689dbcb2e839c33a1f0addada0b965ffb904877e156cea46f1d55815d90c4

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-30_altform-unplated.s0s

Filesize
992B

MD5
619b1541be9d5b9829b169c18d8226d9

SHA1
5d4ba9aa47accdb272e135da1bf2a4598cb1f49b

SHA256
218e9f8ad36cf4c271fe03818906e22cbc7f0c089a1afdab05670334a6f34180

SHA512
5da5c05ad165305a9f188264b366ebceb94d3fe6135738df69a9910b5da2bef5fe99a2a4814ae7603a390b607b3c612aa6f5b0ade07130ee155a106eb082590e

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-32_altform-unplated.s0s

Filesize
1KB

MD5
8270f858b9bd961d238154499a71e416

SHA1
636e930aa74f51e886561d58ef171c4a061106ef

SHA256
1bc5aa96d4806ef95e7d5d6047383a8cb20a1ba5bd165fdaf767fde2ffa6534a

SHA512
edb8e23b17c44672c1d544d60accf42347c50f44bb43bf9f54dd37f407d7f68adb70e3bb96eaf58ba52c774a08d080218489be9d4747a84c0e19800c8e841a97

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-36_altform-unplated.s0s

Filesize
1KB

MD5
c40bc5c3d8411e0a936aae70864ba522

SHA1
1df62ce44fcf06fc716746084ef306817dde2081

SHA256
15a43564202f392393dd5a8aba07ceef5d6521d22f7c296180988ad25e9cba44

SHA512
09c35e4292c8f283d23bc07e4cb0a4d2842a2304c7e217b708b78e4bc8db8fbed71cebab32b2aeb7030941d85c6154a956fc0c7357bbe4f64f8052c26641cec8

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-40_altform-unplated.s0s

Filesize
1KB

MD5
913bd0f23ffd0c296d5101401b0d20f1

SHA1
18079f96d0623979072f2d7fc8b69076c3f9ece9

SHA256
9d280d9c6e64b7429cf1b71d2cb9f22bb18058274c87a64228e94047441147a6

SHA512
020aca67e258daf836f1e752cc5a394835363ff4175ee73e74678c13e1c1fdbc52c4144887766691ce58ac20ea5063e98438801bedf0da48126c43f38d0a4b87

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-48_altform-unplated.s0s

Filesize
1KB

MD5
bcf1dfb528107128048e62f5d8354a2d

SHA1
7ec186f42a2dd5c906ceb207b8cfa10aa6942884

SHA256
06b3eb53807a39b9807f485b2ad175e5b7791aa4f3c7de82d2d93631978b48c9

SHA512
9e8bb9ac99838988c601ea2936a62d6ae89cf57ebb28bd2dd66cbecdf162c4d3b6f580d9492d2cf9fd35e635e05eb58af49e8c742905fe7964003be73588bf34

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-60_altform-unplated.s0s

Filesize
2KB

MD5
0b3341ff11cb742816f9904c8647f744

SHA1
b221eefbfc3af2f5431a9b5d1a4163bb15920da9

SHA256
043f3e7f5300835b5f221fc6faef686650b32158a1af6889e5f6ff80334b41ee

SHA512
414c363565021a1a4dd097902d74ff5dd62bb074076474d99546a70706e3c69ab6d87416851e226ec24cd02ff3e9b6d3282cc53fb331142f930784450f1ea77f

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-64_altform-unplated.s0s

Filesize
2KB

MD5
50859210207899afd9997e9a9858cd26

SHA1
114cb2cc9fa1a434ce7616cdf113814097ba968e

SHA256
df9425f6a43feddca79823be375e16871b9076b99bb53494b050f8c3d47467ad

SHA512
1d73fe367ce84c4cf56840a5409222cb5217c43610f50146f0a0f32dacc4c894414acef488bc90d3c550fa8c300bd672e92d805842d4dfe34ed8fb20ff5c9b0b

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-72_altform-unplated.s0s

Filesize
2KB

MD5
d1cba70c1c38f5f85a1a72cbf60741e3

SHA1
887847ae0ce9e8a4e58d019270b86534ebbba002

SHA256
611f3a91e0a73003032ef620f09d3ad4a17e82b3a3a5be3e7ec968ef7b9dd2e2

SHA512
7d21ec20585ff8a54c10340d2449ef4b0826bb7422335a6e16cd5dfbe80ff24b93bb1429e4a566558874b56e4a5f5a915a3e74b67cbc39e23c17a02782580d26

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-80_altform-unplated.s0s

Filesize
3KB

MD5
604133c2193f284a2b95d021acc7246e

SHA1
370ee0d4036a03f03a94be9cb62db19f143f08f5

SHA256
fff41890a00c33c635b8e6670bc737c74d4694af416514368a7b99bd060b868e

SHA512
de7a16c7913cc959a76c0ab5470f7c048700a0308191cc0c3548ead650bba7fe03b9a67639c67bb79de2ca8a820382240d78fe2d7335b67dac3edbb7d083b63c

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-96_altform-unplated.s0s

Filesize
4KB

MD5
43ebf724f450e022fc2d5ba9a73c412f

SHA1
69b7300abd03892a4a7853c7b6f4e37f9d6df569

SHA256
ac3f7f85aafc3e9fc85013ca453dcb95de97af01c11f625324b741cf6a79f7cd

SHA512
9ec855f1cb32c5ceb75ca7825118d154f5fbc09209ddc0339c42a0a2f6314e539e5063374b6a222977ca14af8bba23b5b065599756707a1d760e63382142a3c5

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-100.s0s

Filesize
304B

MD5
5cb804e7419e7d8a248fca0cd66d34ae

SHA1
57753d79f5b125497faea40e2ebe7a325cb33d3b

SHA256
501385b9da7658b36f7c88fc7af85523785c927c3322d18c8d23693fb2762282

SHA512
d2777b8727c94ad04d8b45a76d0efa976a6a2794d09f410b8ca39e8c5f78c365aaa181760fdb19af338a21a035cbd7237b91d3fe285be65c6afac972c9337a76

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-100_contrast-white.s0s

Filesize
432B

MD5
46423ad34bb16810aa2bf07d7e66c4c5

SHA1
250c17ac270155fd811eb3a2cc5870e1fcd65238

SHA256
19a8d57e9233359b96c30b7ff2a4604eee36627ef92a020deb770740a954f870

SHA512
c77c1ce6a390d8a49a9122c18cfe46ea852ee07c9971015d343bd465eaf0cb8488db9a2ba8cc5323c54cc9440004377102078f19b055c0b12caf67a5aeec6b02

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-125.s0s

Filesize
320B

MD5
2a521dd250752d7afbc82e43d39c741c

SHA1
de0c5e5a8b6370d39d40b7efbac6c98b7a5be458

SHA256
9c690c5cf60e3cdb3c1ea269d8d447c079baa261239d0e1dd89eef67652db6d5

SHA512
c23287a56bc2ec360594d55305c3332f950b119cc7eb1d3c0030afb269031a75afabb7066a39178b103960b9240389b252b8ae293bd99e86ef746e6a74caaf98

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-125_contrast-white.s0s

Filesize
448B

MD5
a0e3fb7117b8f19ba2588742344a87bb

SHA1
4884c750a3b6e52c7fc4371c08f5da7746326dac

SHA256
4861cf4bacc295af47f15286989f8e29c5340a31d77887499dc0f10242054629

SHA512
320c50711fc0a1ce907e77039534c9c052bd43c02e4ec0c716222c2466ce50f82d190e93e43fe6da9623c1a8cd08ac69959bb778fa647b4c5d9788c0687faa95

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-150.s0s

Filesize
384B

MD5
f947bb08b0b5a84163dc5f7d3962f6ef

SHA1
697ea8c034733fd3116c6a256f34a22d62e801b7

SHA256
ee63d10cd41531d649f90c27ec60195cf67da5ba8a5651f00def0ce780c00cb1

SHA512
0ac57dc790cf953d042cb33dd1ba3a97ba203479d3eb02451c3f2b7d3a522557bb55ea634d1640ef1904e3a550f34ce7a24d7b55d1ca791751fdeb62c68fba00

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-150_contrast-white.s0s

Filesize
496B

MD5
16f432b8de3db2bce3552650314dc7ad

SHA1
5d0e7dc6dabb7b991a2cba35498489e8353dfbca

SHA256
6b2245ac4e6d6dd293675203c5dad0807ad61285baa088627b852a470bfae71c

SHA512
7b8a34850802d30f6baa645a76986b4a7a5468454eaa59a92266eb869007a47eadc494a821045f691a501eae8a001945a070e3fdff9949f1936352748efbacf7

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-200.s0s

Filesize
480B

MD5
0f5204b6458f5037c5411a2e68d800dc

SHA1
fe14f77ddba7fe36919748e7131e7ea31a9f3896

SHA256
cd391ecebf8c508bde9495f2fc5625182a57234a8c06603e5af634feb5081971

SHA512
80e607e0e4b38c9e2f9ebea6459b4b02f9cd394f937c83695a57d4acef828b6911bb395a0f5514faec03593b2b9787ecfb746e66a3891a49b4f95c1db449a5ee

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-200_contrast-white.s0s

Filesize
576B

MD5
2c58a388d2d8fb79b633cda8a73f37c2

SHA1
69619e35e5d45f3ed1de78f9d2a9cbff749a77a4

SHA256
c0b02bbb20d807a6a30be97f8541afdd9e228e935297996c138fc9fa4dadd994

SHA512
778bcc0fada88d7cfb300ab09722c8595c492a33129e373abf8982578ab8ea6973d660897b8a9bbd0fd2a96794524ed33ad2a1df4f1e8ab34f0633f3567b8e35

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-400.s0s

Filesize
976B

MD5
addac3e124a4f94e59e737cb1baa5da2

SHA1
2bd1cb3880a8b0c4bd75cab32bc6f10d1c766c01

SHA256
9f46fd51e79e6d53a8338ebc538e0fb4861f943dce3f5257bc5c284126e2f6c0

SHA512
296cd32de96e3cb5551b2be359b2d1114213dfd40d6cc3a3c4546343a72ac9d9cc69c39d31c60a8bc4bce58ceda2d6b07569bdafbcabe95e78466da9669dae9d

Download Submit
C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-400_contrast-white.s0s

Filesize
864B

MD5
6545eebed8dcd90d40606a303a3cfb8e

SHA1
18235ff238dce223dc44d36e49beba9210be752f

SHA256
ee5bac7e6a37e492ada6d958fbfb3b4c3e1e5d29c9f5745bb6bd0bac37d0f917

SHA512
62c9f74ead49f5f5a07f238dfa5461031f38793c46d1dd2bef8d69f946219236d39a868909a43cf0391ad4f150e3eb7096926045408c136c27bc81bdfdaf320e

Download Submit
C:\Windows\SystemResources\Windows.UI.Search\Images\logo.s0s

Filesize
336B

MD5
03f8acb20de3d8e65df33ed77ee0a50e

SHA1
02e8586e036c955252b2111495b75232c409a370

SHA256
c902bb4f1a2217ce9b25dc890c088ba25c1ebe9e3bdc4048a1ae63ef28f6a6a2

SHA512
dcb306d2770a2370751f9495dd97b995b9d374255484ffcf0bb3f77360cecfa64a521d16e67b59564947d9354dd2a7369103b5fc32c6d1d3ced6793704520c1c

Download Submit
C:\Windows\Temp\FXSTIFFDebugLogFile.s0s

Filesize
16B

MD5
df2fdff5c81840ccba452e7b6050cc41

SHA1
70b7faf33eb52185d8845cbe4be380989c44ebea

SHA256
cae8df5eba723bd8855f9bb71b6a52703eca52f791eda51b089c4e98d4e9e3d2

SHA512
f15188b6ab0746af23d9592949cfbbc265f18ec205d2eb3aa6d986c74a76232e48ab77a17523a5498eb523f34a7b4c9164f686c05aae194157491a508b540e98

Download Submit
C:\Windows\servicing\Editions\IoTEnterpriseEdition.s0s

Filesize
23KB

MD5
3c59acea88f6522d8e01b8a1927dd78e

SHA1
38bbb3eea9cb629a4841da2affd2af72932848fe

SHA256
e1748b89c23bb0722c9b25058211f6ebd336bdcd48c5e3aeed6e6f4bc7faea70

SHA512
fbdf123d2b7f82bea8117ae04010731408cde027064232a9511849e39faba4654ee572f74523365980dd21364da02d9c14c2b35f7950447b8772c53ccb7705b4

Download Submit
C:\Windows\servicing\Editions\ProfessionalEdition.s0s

Filesize
23KB

MD5
35aa27e9c16331a916b238f5a0a20b89

SHA1
1270beb31d757ca5c0e1576c1b358ddf4690599d

SHA256
d769ffcea6d77878e372234e32ccc9c8b9eaf98dd1252460008a57bdc0a19b52

SHA512
734e2fb0a92e3189569c8a6861c1505155cbb9c0d75bcac263d31762bbad5f246100118d2a333bbbcb6306388940fdfc540c3d29736a3c772fa11df4d000cd26

Download Submit
C:\vcredist2010_x86.log.s0s

Filesize
80KB

MD5
c0532daf2ec221deb6135bf8cbfc95fd

SHA1
d24f56fbf3f636df0ab9ba1081189c12d932b432

SHA256
8e3ab47bdf3c85a1cc6b170d6f2d39dba8ab97d34e59d1e5a6677ccaf4b833c4

SHA512
53367c5a437e10b0ea25a8a7a879d21b28b87d4aa2c86a480e7aed4ff48168dae3d7d2747164fe63be1d0da473ae8b9a9252e81905cceb01e7afba067b1f2d28

Download Submit
memory/716-4430-0x0000000005FB0000-0x0000000006054000-memory.dmp

Filesize
656KB

Download
memory/716-2354-0x0000000004E40000-0x0000000004E8C000-memory.dmp

Filesize
304KB

Download
memory/716-1949-0x0000000004850000-0x0000000004BA7000-memory.dmp

Filesize
3.3MB

Download
memory/716-4721-0x00000000062E0000-0x00000000062F1000-memory.dmp

Filesize
68KB

Download
memory/716-4922-0x0000000006320000-0x0000000006335000-memory.dmp

Filesize
84KB

Download
memory/716-4397-0x000000006F840000-0x000000006F88C000-memory.dmp

Filesize
304KB

Download
memory/3112-52-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/3112-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/3112-1-0x0000000000E40000-0x0000000000E84000-memory.dmp

Filesize
272KB

Download
memory/3112-2-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3112-51-0x0000000006AA0000-0x0000000006AF8000-memory.dmp

Filesize
352KB

Download
memory/3112-53-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-23-0x00000000076A0000-0x00000000076D4000-memory.dmp

Filesize
208KB

Download
memory/3308-33-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

Filesize
120KB

Download
memory/3308-42-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/3308-41-0x0000000007CB0000-0x0000000007D46000-memory.dmp

Filesize
600KB

Download
memory/3308-40-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/3308-39-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/3308-38-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/3308-37-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-36-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-34-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-35-0x00000000076F0000-0x0000000007794000-memory.dmp

Filesize
656KB

Download
memory/3308-49-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-24-0x0000000070440000-0x000000007048C000-memory.dmp

Filesize
304KB

Download
memory/3308-43-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/3308-44-0x0000000007C70000-0x0000000007C85000-memory.dmp

Filesize
84KB

Download
memory/3308-22-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3308-21-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/3308-20-0x0000000006210000-0x0000000006567000-memory.dmp

Filesize
3.3MB

Download
memory/3308-11-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/3308-9-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/3308-10-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/3308-8-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-7-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-6-0x0000000005990000-0x0000000005FBA000-memory.dmp

Filesize
6.2MB

Download
memory/3308-5-0x0000000074910000-0x00000000750C1000-memory.dmp

Filesize
7.7MB

Download
memory/3308-4-0x0000000005280000-0x00000000052B6000-memory.dmp

Filesize
216KB

Download
memory/3308-45-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/3308-46-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download