d831ed356a20b3678fe305d7fedc3b093590efa2e22ed6e180576d65d52c11e7

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

552KB
MD5

ad1848193be64a450019fce578574080
SHA1

de6e57880b01402fd75e7fa2ed30b5c9519a0a76
SHA256

f28983daf13eb54a15eee49f1be496191972f99cc2bca90ce1296d8f9d602c22
SHA512

340c0a7d426c65d3c7c66c97a168e0dc12eef5ba2f8e53e068f26f8082731c4cf294e918f1788e8a367516ffdfd9e24be6944804a4050778f842828d5be0fb98
SSDEEP

12288:tkJPzdKY+GshK6UTJUI72dWKeMb01JQntLOCTpleu:t8dKJGnUINKemTpAu

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Eleven.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe

Blocks application from running via registry modification 2 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sestqkq4.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\drivers\4amttjsl.s0s	Eleven.exe

Executes dropped EXE 2 IoCs

pid	Process
1444	Eleven.exe
1904	Eleven.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Eleven.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Eleven.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nnuvsuyj.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\lqntnsac.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\nhoxilmq.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\jpifo00w.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\e2lpqbcb.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\onvsxkol.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\ne1kopvs.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\lttgymxa.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\5p3etq2p.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\04lnucbd.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\h45p3nfg.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\lm1qovej.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\hbjzbe2a.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\akhxeyo1.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\en-US\ofursxvf.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\wbem\cr2ygy0g.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\ot0y4j3y.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\pjrn10zf.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\m34ip43i.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ras\42g3g5j5.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Bthprops\xoqppyhe.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MSDRM\4ght12xy.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\1ivjuzph.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\45ea5h0k.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\bxsbit40.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\g43x4aob.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\iq50rhpg.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\k15bezyg.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\3cdx2yry.s0s	Eleven.exe
File opened for modification	C:\Windows\SysWOW64\Eleven.exe	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\tk423end.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\oy0moja1.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\uves4mm4.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MSDRM\3uqhr055.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ras\lf05g1kz.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\0b15cqc3.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\en23hvcf.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\v4re0tfm.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\rgzc43lz.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\whn3ynao.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\5qectasu.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ras\jexgxn3p.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\0yqk3biu.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\v1mzeyu4.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\jhwkdgfl.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fenjit4r.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\zi5vdymz.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\mmdd3sd0.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\oblvbpxb.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\qxwz5scs.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\5ykzwzmd.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\0o1pqul1.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\njk3if03.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\jvfs4vos.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\ybeiz11u.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\en-US\nlkrjq1r.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MSDRM\jkt3ebeu.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\icsxml\dgpbwibv.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\MSDRM\yjiiojat.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\u1g4vhbx.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\4m5l3m4r.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\Eleven.exe	Eleven.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\0m4xh2ii.s0s	Eleven.exe
File created	C:\Windows\SysWOW64\kdfsqhuh.s0s	Eleven.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp9A0D.tmp"	Eleven.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\4efh1rxu.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\d3lvtg1v.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\2tkaznha.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\32nluh4j.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\r0ixgkkt.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\0epip4x1.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\sgq3up0u.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\jvcm2rhf.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\5wkonbcr.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\vqbatwxq.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\4esbb4qn.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\uulhids3.s0s	Eleven.exe
File created	C:\Program Files\7-Zip\Lang\k4jodyri.s0s	Eleven.exe
File created	C:\Program Files\7-Zip\Lang\m5j1cda3.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\zbqsvrfx.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ty4jjiyq.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\zboi5kfd.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\sxhc32bm.s0s	Eleven.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\5tdfhjwo.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\y1xpqu3g.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\xjbzjhqh.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\5nbkurxz.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\tcoky3tj.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\3gwqjooe.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\03chadpd.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\wqs13fgg.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\bvbr2q4z.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\3vmvu4pj.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\nhmf5y4e.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\bwp2gfx2.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\41ejjl3h.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\0wv3zunm.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\t2o5lp2l.s0s	Eleven.exe
File created	C:\Program Files\7-Zip\Lang\wseie0gr.s0s	Eleven.exe
File created	C:\Program Files\7-Zip\Lang\zgu3lf0z.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\nupr15tf.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe\mnmwlcbd.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\gx4c4fkw.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\42nt0e1i.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\clo5qn01.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\njszdji1.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\q5okhgca.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\methm143.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\bzsxpd2i.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\tzt1v4ry.s0s	Eleven.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\j02o1poz.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\abjhhzf1.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.561.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\xczvmm5l.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ozew5avw.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\noixxgiv.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\Tented\uasjg3f1.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\fonts\1zree5kt.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ry3swzvm.s0s	Eleven.exe
File created	C:\Program Files\7-Zip\Lang\1zvx4b3h.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\0jzltcxx.s0s	Eleven.exe
File created	C:\Program Files\7-Zip\Lang\iyq3230a.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\xtsyi2qh.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\gcmc1npl.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\effects\np1e1bej.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\dzkmpbbj.s0s	Eleven.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\wdoqgfhy.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\mlf4usxm.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\5snlp5b1.s0s	Eleven.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\hszjzwag.s0s	Eleven.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WaaS\regkeys\frfn522g.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\4txbgyij.s0s	Eleven.exe
File created	C:\Windows\SystemResources\Windows.ParentalControlsSettings\Images\gzxbechk.s0s	Eleven.exe
File created	C:\Windows\ImmersiveControlPanel\images\jbxwd31a.s0s	Eleven.exe
File created	C:\Windows\INF\35xpzwhp.s0s	Eleven.exe
File created	C:\Windows\INF\yqklurmq.s0s	Eleven.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\4s2rhm0x.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\m34jvwp5.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_netvg63a.inf_31bf3856ad364e35_10.0.22000.1_none_eab2964adfcdf8b2\0ghqqk1z.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\mapqayxs.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\xtt3j2qk.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\1h1inqas.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\du2igdol.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms011.inf_31bf3856ad364e35_10.0.22000.100_none_c07698c3eed47050\jrz33xhh.s0s	Eleven.exe
File created	C:\Windows\INF\ftdya1ug.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\2x5rvp1a.s0s	Eleven.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\ukf3qahp.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\dm2dthru.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_netbrdg.inf_31bf3856ad364e35_10.0.22000.1_none_47c7c79dd97aff4c\vyjlrqym.s0s	Eleven.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\uhrwtopl.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\lq1c22ij.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_en-us_0bff281a9f5ef450\rhfi2kcl.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\00hihmyi.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms012.inf_31bf3856ad364e35_10.0.22000.100_none_e9886ee567ba694f\r\adojfyyn.s0s	Eleven.exe
File created	C:\Windows\INF\qhdq2kl4.s0s	Eleven.exe
File created	C:\Windows\INF\c55r2uho.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\djk11rib.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\ucipepp3.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\0r3opxgc.s0s	Eleven.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\52f3ezhj.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_netnwifi.inf_31bf3856ad364e35_10.0.22000.1_none_1519f60dfb2516da\3atqvjhl.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_hidi2c.inf_31bf3856ad364e35_10.0.22000.1_none_c93de7dcfbdbd51f\pitjhhwg.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\2oel5abl.s0s	Eleven.exe
File created	C:\Windows\ImmersiveControlPanel\images\504mf3wc.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printerdiagnostic_31bf3856ad364e35_10.0.22000.1_none_1c02ded69f82821d\iwk0b353.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\view\doz3q4im.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\gj1ze2ei.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\f\2krko1ib.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.194_none_15db8cfb1c6a6b33\eak1io5h.s0s	Eleven.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\je3pl2ui.s0s	Eleven.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\b4okpwsh.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_10.0.22000.37_none_1c5e9e8769a71107\jvwikl2m.s0s	Eleven.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\templates\view\yjve5b2i.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\3kzxl23k.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_sdstor.inf_31bf3856ad364e35_10.0.22000.348_none_36fa2aa26125b0c9\r\fi4jta4u.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_netrtl64.inf_31bf3856ad364e35_10.0.22000.1_none_d56c3973a6569aa5\xapes2je.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.22000.1_none_6f0cc71f80b32941\uguzqtqc.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\bpzixiev.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\Images\hvex3ch5.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_sisraid4.inf_31bf3856ad364e35_10.0.22000.1_none_2b4d7e1d685f8e6b\qymhcel3.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_mdmhay2.inf_31bf3856ad364e35_10.0.22000.1_none_2ffd889bdb6b53e2\0nm0jyeg.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.22000.1_none_84cc55352e2b785b\nmn3au0o.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_gameport.inf_31bf3856ad364e35_10.0.22000.1_none_c41d4fe257eb6167\ukfpp5zh.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-ui-xaml-cbs_31bf3856ad364e35_10.0.22000.120_none_9adee443d1039cf0\r\4l0mzfa0.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_dual_tpm.inf_31bf3856ad364e35_10.0.22000.120_none_1ac5a5b8188fbed9\4qeisbzv.s0s	Eleven.exe
File created	C:\Windows\INF\fuaj145q.s0s	Eleven.exe
File created	C:\Windows\INF\ijpbqa02.s0s	Eleven.exe
File created	C:\Windows\PLA\Reports\y1krgmfr.s0s	Eleven.exe
File created	C:\Windows\PLA\System\5kczdbpw.s0s	Eleven.exe
File created	C:\Windows\WaaS\regkeys\vog1vubr.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\33sxhunv.s0s	Eleven.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\v3uya4dt.s0s	Eleven.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\0htmrpja.s0s	Eleven.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.22000.120_none_285ae36df9fb90ad\jdwd311w.s0s	Eleven.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3324	1444	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe
3632	schtasks.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Eleven.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\identity = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f456c6576656e2e6170706c69636174696f6e23456c6576656e2e6170706c69636174696f6e2c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c2f456c6576656e2e6578652c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_tr_9542aeee38ef60ed\implication!elev..tion_bb3a3dd0d6e45e5f_0001.0000_8e60 = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f456c6576656e2e6170706c69636174696f6e23456c6576656e2e6170706c69636174696f6e2c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_zh-cn_4f964cffd35d7911	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_de_8eb6cb0a3d15ad40\DigestValue = 38be8d2583541f2bf60fcfd95eb2ec0f4570bf7ff445023600a2607633fe6ea2	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_es_8e90f3503d3e38f5	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_ru_943f30ce3999abb2	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2b67c18e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	Eleven.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_zh-cn_4f964cffd35d7911\lock!160000005496570ed01200006408000000000000000000 = 30303030313264302c30316461613562346536623737303062	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702\lock!1a0000005e97570ea4050000c80c000000000000000000009 = 30303030303561342c30316461613562346632333839336362	Eleven.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\elev..tion_bb3a3dd0d6e45 = 32003000320034002f00300035002f00310034002000300034003a00310032003a00330033000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_de_8eb6cb0a3d15ad40\Files\Microsoft.Win32.TaskScheduler.resources.dll = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702\lock!1c0000005496570ed01200006408000000000000000000003 = 30303030313264302c30316461613562346536623737303062	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\micr..rces_e25603a88b3aa7da_0002.000b_sv_94a5e810395	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_ja_918b35ce3b3f58a6\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_zh..t_d556e9416ac72baf\lock!140000005496570ed01200006408000000000000000000 = 30303030313264302c30316461613562346536623737303062	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702	Eleven.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\elev..tion_bb3a3dd0d6e45	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\elev..tion_bb3a3dd0d6e45e5f_0001.0000_none_96a49946ed9cf82f\implication!elev..tion_bb3a3dd0d6e45e5f_0001.0000_8e = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f456c6576656e2e6170706c69636174696f6e23456c6576656e2e6170706c69636174696f6e2c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_de_8eb6cb0a3d15ad40\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2b67c18e\SizeOfStronglyNamedComponent = 5a9a000000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_fr_8f0d4a6a3ced218b\DigestValue = 71a0ff1dcb30dcdc838ecdfebd788acd0f64c4eadb7bedbe473827c1fcca21a0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_fr_8f0d4a6a3ced218b\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_es_8e90f3503d3e38f5\SizeOfStronglyNamedComponent = cc33000000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_zh..t_d556e9416ac72baf\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\elev..tion_bb3a3dd0d6e45 = 660069006c0065003a002f002f002f0043003a002f00550073006500720073002f00410064006d0069006e002f0041007000700044006100740061002f004c006f00630061006c002f00540065006d0070002f004100700070006c00690063006100740069006f006e00250032003000460069006c00650073002f0045006c006500760065006e005f0031005f0030005f0030005f0032002f0045006c006500760065006e002e006500780065002e006d0061006e00690066006500730074000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_none_96a49946ed9cf82f\SizeOfStronglyNamedComponent = e138000000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2b67c18e\DigestMethod = 02	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_tr_9542aeee38ef60ed\identity = 4d6963726f736f66742e57696e33322e5461736b5363686564756c65722e7265736f75726365732c2056657273696f6e3d322e31312e302e302c2043756c747572653d74722c205075626c69634b6579546f6b656e3d453235363033413838423341413744412c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\eleven_none_0001.0000_none_83de1d2a808873a3\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_tr_9542aeee38ef60ed	Eleven.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_ja_918b35ce3b3f58a6\lock!220000006d97570ea4050000c80c000000000000000000001 = 30303030303561342c30316461613562346632333839336362	Eleven.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702\Files\Microsoft.Win32.TaskScheduler.resources.dll = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_pl_93bd71be39e2a72b\lock!240000006d97570ea4050000c80c000000000000000000001 = 30303030303561342c30316461613562346632333839336362	Eleven.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_zh-cn_4f964cffd35d7911\implication!elev..tion_bb3a3dd0d6e45e5f_0001.0000_8 = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f456c6576656e2e6170706c69636174696f6e23456c6576656e2e6170706c69636174696f6e2c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_ru_943f30ce3999abb2\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_ru_943f30ce3999abb2\Files\Microsoft.Win32.TaskScheduler.resources.dll = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_tr_9542aeee38ef60ed\identity = 4d6963726f736f66742e57696e33322e5461736b5363686564756c65722e7265736f75726365732c2056657273696f6e3d322e31312e302e302c2043756c747572653d74722c205075626c69634b6579546f6b656e3d453235363033413838423341413744412c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_ja_918b35ce3b3f58a6\lock!080000005e97570ea4050000c80c000000000000000000009 = 30303030303561342c30316461613562346632333839336362	Eleven.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\eleven_none_0001.0000_none_83de1d2a808873a3\Files\El = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_pl_93bd71be39e2a72b\DigestValue = 9a34ee28ae9a8364287517c993077afd139fea1f69086aa51345e1045b1287e9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	Eleven.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2b67c18e\identity = 456c6576656e2e6578652c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_ja_918b35ce3b3f58a6\identity = 4d6963726f736f66742e57696e33322e5461736b5363686564756c65722e7265736f75726365732c2056657273696f6e3d322e31312e302e302c2043756c747572653d6a612c205075626c69634b6579546f6b656e3d453235363033413838423341413744412c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_fr_8f0d4a6a3ced218b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..rces_e25603a88b3aa7da_0002.000b_zh..t_d556e9416ac72baf\DigestMethod = 02	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_fr_8f0d4a6a3ced218b	Eleven.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_elev..tion_bb3a3dd0d6e45e5f_a01efe6173ad619a\LastRunVersion = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f456c6576656e2e6170706c69636174696f6e23456c6576656e2e6170706c69636174696f6e2c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c2f456c6576656e2e6578652c2056657273696f6e3d312e302e302e322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d626233613364643064366534356535662c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	Eleven.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_8e60f0d0676bb27b\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\micr..rces_e25603a88b3aa7da_0002.000b_zh..t_d556e941 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\micr..rces_e25603a88b3aa7da_0002.000b_pl_93bd71be39e	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..rces_e25603a88b3aa7da_0002.000b_ru_943f30ce3999abb2\lock!080000005496570ed01200006408000000000000000000003 = 30303030313264302c30316461613562346536623737303062	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
2628	powershell.exe
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	dfsvc.exe
Token: SeDebugPrivilege	1444	Eleven.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1904	Eleven.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4816	3468	setup.exe	77
PID 3468 wrote to memory of 4816	3468	setup.exe	77
PID 4816 wrote to memory of 1444	4816	dfsvc.exe	78
PID 4816 wrote to memory of 1444	4816	dfsvc.exe	78
PID 4816 wrote to memory of 1444	4816	dfsvc.exe	78
PID 4816 wrote to memory of 1444	4816	dfsvc.exe	78
PID 4816 wrote to memory of 1444	4816	dfsvc.exe	78
PID 1444 wrote to memory of 3632	1444	Eleven.exe	81
PID 1444 wrote to memory of 3632	1444	Eleven.exe	81
PID 1444 wrote to memory of 3632	1444	Eleven.exe	81
PID 1444 wrote to memory of 2748	1444	Eleven.exe	83
PID 1444 wrote to memory of 2748	1444	Eleven.exe	83
PID 1444 wrote to memory of 2748	1444	Eleven.exe	83
PID 1444 wrote to memory of 4092	1444	Eleven.exe	85
PID 1444 wrote to memory of 4092	1444	Eleven.exe	85
PID 1444 wrote to memory of 4092	1444	Eleven.exe	85
PID 1904 wrote to memory of 2628	1904	Eleven.exe	92
PID 1904 wrote to memory of 2628	1904	Eleven.exe	92
PID 1904 wrote to memory of 2628	1904	Eleven.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Eleven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Eleven.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\Eleven.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\elev..tion_bb3a3dd0d6e45e5f_0001.0000_e70ab4207b78118b\Eleven.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Blocks application from running via registry modification
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1444
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "Windows Update" /tr "C:\WINDOWS\SysWOW64\Eleven.exe" /sc MINUTE /mo 1 /ru SYSTEM /f /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3632
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "MicrosoftEdge Update" /tr "C:\WINDOWS\System32\Eleven.exe" /sc MINUTE /mo 15 /ru SYSTEM /f /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1648
      4⤵
      Program crash
      PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1444 -ip 1444
1⤵
PID:3540

C:\WINDOWS\SysWOW64\Eleven.exe
C:\WINDOWS\SysWOW64\Eleven.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2b67c18e\Eleven.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\elev..tion_bb3a3dd0d6e45e5f_0001.0000_none_96a49946ed9cf82f.cdf-ms

Filesize
8KB

MD5
77be800633302b4e581326c2f4a785af

SHA1
0093c9886b3336125462b3b8c76a0d697dc659ef

SHA256
9a129f38fbbe2ad274c35c38e0595285733d4956b64c0a28347b605d7f54a0f8

SHA512
8eecce6f4c28e990cddb5cb10dd5899296cf122393c689a6bb550fd6dec237c566e9655314dd7edc1249ad42d9de87438e99a6e0f7b41ec8770e8ff6a5405a9b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\eleven.exe_bb3a3dd0d6e45e5f_0001.0000_none_c6035d2c2b67c18e.cdf-ms

Filesize
23KB

MD5
42e2fab4df76182f95d7e96e638532b7

SHA1
036ced348772a9df60abdf78f84a1e1f00edffa1

SHA256
7810fd6058244b60c9dc3f740d839000c80b9d5f56df404b15f21d6a276e9107

SHA512
7dc5787d8df65b55f2097e76e38dc588fc1180bc5ef157e86406a96da7eca042b6ef8796049333351d33886504eb75dd655af5b6082fc4efc40ea7f371cd4ded

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_de_8eb6cb0a3d15ad40.cdf-ms

Filesize
2KB

MD5
84ec227bee3545a3af63aa69454b790d

SHA1
5bf30fffa5cb7195c7aba899034484ea35bdb052

SHA256
35077018a272d7f40336dcbfae31460202a60819057e8734bba404cca6325f4f

SHA512
7f9c5a8ba13e75a78e9b35051d80a3fecd323ea8bc2bcee5af2b3e0fcc3dfff052aba1625f70f62b5c6fd8a7db1ec927afbd7c9969517c826e50d1db1f50cd41

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_es_8e90f3503d3e38f5.cdf-ms

Filesize
2KB

MD5
620dad7147e04fddd95da1bc55265c40

SHA1
e261fc3656c29baa5da7b481403085ed654272a2

SHA256
0c6d56eef29ee40c57336325a700304de470f2e52f540770316e114d0b522da8

SHA512
a93d00261e9b60d3138975f51d3bfe25cf9d2e71f881d7f01789d52ef7ecb87fc834ca0f0baf14c54c9f58a4af8538543994b3537850ec2d606cfccdb89bb43c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_fr_8f0d4a6a3ced218b.cdf-ms

Filesize
2KB

MD5
8a532b5d55a7b7a9e6d6acd5d5fd0527

SHA1
7565e50ecd3024e9270e234a0e83753ed0aaf7ba

SHA256
aff1604081e68d29f233e6464adcf1eacade3d22a720c8ba589ed02160bf4412

SHA512
6df85d3b92378b11b83ff72de424a85fde6cbd703383102857663566b7a443cb43355e7d7275ff3b53ab1297cc3e24f561816788cefebc6d27f8ff03036c1219

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_it_904c401c3c226702.cdf-ms

Filesize
2KB

MD5
43b3669c391b2ec33490964ead73ebee

SHA1
3a393ccc1b49d8d7ad8cc595ac8479489fcaee35

SHA256
fbe25fb845357dbf6cd124d544b5d9aa6de5066466c686e638888704b19827d7

SHA512
bdefc173cdec6429cda8460c9153649447f89838ee34a10182f6b747877cbe950301c5bebf0f75c13c7cc4129db1f535a0e911d2d6bc2d15f61bf2f142674298

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_ja_918b35ce3b3f58a6.cdf-ms

Filesize
2KB

MD5
1cf449aa73cbf7909a5b8c0e76f8266a

SHA1
f62c8c79246736f80d704748a65390b5285fa934

SHA256
295543f5e3ac02db44856de90c639b5848f6fbf6ab095871ef576a080ec8188e

SHA512
0c740c6cf55792e762a52749660e03e5c8680b569d10f781883bb29d97b8f31f7a8100379b172bc1fd7f9f8cd97f4de8739c2f4eaa4f929977cb0ce56ef3927c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_pl_93bd71be39e2a72b.cdf-ms

Filesize
2KB

MD5
a5ce26f27374ec40b89a60d72cfeb3ed

SHA1
56260c36e1a020e8ab0f8e81392947ceba1bf363

SHA256
6dec69b452967a04e9945718f5c93354a7d6dd641923d5dff2cd22f3f7d4407b

SHA512
4a5e53c46433c1eca54f47147315d5d0c2759ad859b3e0312f1795fa3ac67d84f9148d26b060fa4b45c8ba428562eb510e488e6d5464a721586f4457deef1f27

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_ru_943f30ce3999abb2.cdf-ms

Filesize
2KB

MD5
c0ab91af2edade70af0760b8980ae34a

SHA1
3910782082b91f9918084151e659fec7222da572

SHA256
d9621f35efa8d3f433f283f48ae5e7eb509f129721f22b4c55ad2d4ea443b483

SHA512
ac5d4e5940de708dc7d478962de0648a550cd1ece28404ce8589d77b6dc5132c5bb522b239b792d5d3d192c9ba9d7a3713def2d5274dd3271f97d0ca1eec7e9d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_sv_94a5e8103958cc2a.cdf-ms

Filesize
2KB

MD5
a2b38734bcbb414a20b061c31e879037

SHA1
54def6bd2a39498e9f6c766a126c3aaefe3c4b9e

SHA256
da77f06b1e4ae3f8be1d72cbc2942aff569e3adb9ad38b83b2c30e1c150f782d

SHA512
ca82add50747120295420be37be24ebcfd696c121facf48eee681fc521fcd6a059161e5f27c8ce52a57773a74902e9e1bcd48370c11fe41211f886be436cdbd4

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_tr_9542aeee38ef60ed.cdf-ms

Filesize
2KB

MD5
af32e1dc24f0eb8fcb59de5b46281996

SHA1
71a7856bf15779ddb9c55362489220279cf14b93

SHA256
5e8a50090fb5aa888dcff2c3c9c3ecde7a1ab366f22abfcd178716e4cff6d06c

SHA512
27b5b8fec2e88ece6a3d8cfb9dafc8d9a8dfdaff21a5ca6ded9a3b9e7279b8ad4125d227b6715788c60983c85f82aa27331df5b5bc65db6f93cf6f48a58b0fbe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_zh-cn_4f964cffd35d7911.cdf-ms

Filesize
2KB

MD5
bac49d4d9593d8b3b757f382d9aa577a

SHA1
72e59079b5f31ad6b0dfdea24d91fd6bf7b96f05

SHA256
5e17bc4e5f4c4d5ea10c0c697d19a9f5bdb48563b634fb9a5bb82a7483f63eab

SHA512
c145380985b246087edaf4bcd531dbd90ab573e8348cd0b89e2d7a69c1d7101ca21091fbcd241b7cb5f1085a24d55907f2be19058c298b71f64604b326add5b9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\7X0501RW.P73\OWYD183Z.93K\manifests\micr..rces_e25603a88b3aa7da_0002.000b_zh..t_d556e9416ac72baf.cdf-ms

Filesize
2KB

MD5
405f76a02069f34a95d17570e6d315a1

SHA1
884e7fb02501dd23fc2dc48ab0e1819eb430a501

SHA256
dd86e1f805dbdef460aa0bc908d18a6c1b8b24fcdcd9c93985396e4831c2ccfc

SHA512
49872054c67ef5c760f7f7c86c8d957da50486ee050718d95ab63e2d382c2f35ce034a41733d52323e546041f6ce7d9799dc1fc04afea4adb735a130d6f433cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\Eleven.exe

Filesize
246KB

MD5
7e22c44d286b419331b52e6a4ec5c8b9

SHA1
4d47350e6a29c8d23caeb8ee81f32ecf14872853

SHA256
8343d8c1eb829c7bdda00ab121330ce0bc1923b077062c83971a9206ba8b3d7a

SHA512
958bb9102ffa9dec261cca01f2a06e1cb5f4b05511eb2fc79c28b9df37406ec05f73195de39e9ba1b4ba1c94aa6f967a97c53fb15fd017d7e61387527e94db98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\Eleven.exe.manifest

Filesize
14KB

MD5
8e631ff495dfcb49dc8f1762a66164db

SHA1
0baf1f9dd088151763cdf9a79ec52e91a59b5c88

SHA256
cf9a4004d15f5c227a1545d8bba5b3edca29e211cceee74843c34d6c317d1c86

SHA512
1c342f2634bd47505e7d3c6bf20489ff1e8aeefd262eea9eb09e562744c0cff76ffd14665e31418c23badadcde3a97cb8d3e1b84f8267b8efd7df74d8df36d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\de\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
9KB

MD5
cce365095b4827c48eb851b98b5ac86c

SHA1
a40b68adecdf3a7a529f5a0c46e748477602e115

SHA256
38be8d2583541f2bf60fcfd95eb2ec0f4570bf7ff445023600a2607633fe6ea2

SHA512
a5b58debb9cffc5834435ca40de27730f6934027eae4e46ee9cf3e0984ecf8fb9325fbf6287ca3c5b1897128d5059189bea4558e96815ed92611e69de7d5e4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\de\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
64c3a9ffa11ccbc8768bf2c8bbdd3716

SHA1
d1508017e7b88ce7765d3b6289711d927c24b37a

SHA256
dd0fb45a19932e0273e86eb3b3638efdbb6371425b0713c0e58e124442e81547

SHA512
23cdf43e6e7584b8fa72620c1fbbf114011475bade6a787716434fce8da0ce01895200114ce211b01981a531e9f4034524c9cc50fefded8b511e8befe6ccab32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\es\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
1408dcf0e733feca14cbbbda7b4a917a

SHA1
8f7d65da58bcb153cb5addbb2c9ea6f3f2e41f74

SHA256
b54e7c0368dcbd350815a4207dfd144c8555997be60f2d8563590e11721aae45

SHA512
91dd79e002547c5fa07aa6d4f6eb0075ed1d7f8281156775cfb6ea6a9c7e4ddac4df9ef1160829a502917a4dd6cdec3b1439a37a2e8f4e82ebd40f0364536d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\es\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
0355add52be0bc375727360b70d571ef

SHA1
f39bf479afb394540dfda210d2bb9767f61729c8

SHA256
fe35d54a67399f0a54c66baabbb7e00b14e1b8c699b9a37e3018f844220b5cee

SHA512
a78b4cf1482790c3e02771f2ced6d380ef49d684e824db6fb4c001290162bc8cee1f2f51842abdded93618a0e186951355696912c454214db25e40b361913220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\fr\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
ff2447103c0b2ace6e06474ef44519fc

SHA1
9587566ff2cd6d3bc400f1e1300cef258127953b

SHA256
71a0ff1dcb30dcdc838ecdfebd788acd0f64c4eadb7bedbe473827c1fcca21a0

SHA512
395c24e3c9a5d1fde08125deff5233f3d22692611c50cfef32f32f38e047c3d31d0c26a007240d0b695651df5abe3cb7fafa2a89176186b9b753a4e866a066ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\fr\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
7fc260adcb2570ff886abe8c0ec78cfd

SHA1
d045d71a0cb2655875e46af0aa47a14a595fcd0a

SHA256
641b5db14f2119e765f6b99b59f0a5d75b72a37632e1de0292258eb8260aff34

SHA512
81c2e50bd2fc95f7c5f16b28a63a08bc360fec6dd3c9524f314ec0e852ad4cb735f31aad24b2e8ebc6467ee6042d42faf94b7f7fda364afb57ed5a7da5c515f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\it\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
219e3fca6ce9fd1a81f93204b5eff759

SHA1
c30dfada4ace03f52f9b9fbd640c33e0358ff0f3

SHA256
fd86b62d37f033217bf73cfce565b6ff7f647dcc0b0db346cff42e226aaae27e

SHA512
350936613a3f57b81bfed686a673682fe99fd9317cfc04b14a300d29f5b45b256e6315cdeb49afa38f7f7d0a312f614f32cf5f83ba0b89bba32997fb7e236727

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\it\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
f304feaf2918e181b7bb2f8e611cae7d

SHA1
0c4419f4c34ebdb97eb0327f3e5674ec08dc2c9b

SHA256
fd3fc2f9ed03c7d82bf04a56ff568fcec37dc83db1e7cc1d9b72486e308ad104

SHA512
f748851b1b588a732837b562bda23460d966528ec24ae8aaa80f3228acb3ea522348ac0dfa0cd3ca5a5e6f4ef0491bcaa16a4b99f6ddd61c8557a52da1fa7788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\ja\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
0d4f5ebed1fdbf4495827f480349b4d9

SHA1
0e90cec00d0c1702531de940a2259d819a38b1bd

SHA256
db4d7ccc6ff1a58d3cb94e5ab49d5d93943c64c35d10b283ed51191f9d3a655d

SHA512
d7c11e5fea1dbe98a93d2fe0b00b2e9dd6ebe77cbac559822c4d0e1071f0cab0a8e3bc992f6ed0ffd9f23f0af592dc906744415a9914ad337eb3946c9532fa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\ja\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
5bb46b1f72c09c89672c91a96a019723

SHA1
c34a162840f82768cd10b2e0be594adbd3fb5168

SHA256
9a6d9dff0b10b7347d791383ed6b8b6efc595b226a780a6f767bc883ca050f6d

SHA512
16f387c231b8cbb75bca77940beb063c2378775546adaa0eced999af1cd9645213c625a5e20dd8445dde96af248147ec738723ad67b3adb5a5971d2ed6a99f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\pl\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
650119802a82603072b8af317c1b220a

SHA1
c9636dab6314981dfb84029444a8ee7bca7ad782

SHA256
9a34ee28ae9a8364287517c993077afd139fea1f69086aa51345e1045b1287e9

SHA512
635c1462948d3d9817981d9d8182d3354911d2e7262f3fdda2df1f91538f2cf13d0329ea517d67c6e54ceb9d47547faba10a134b3ecc631ee5ceee54cf8de4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\pl\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
9633656500e51191143f034bb9489877

SHA1
89cc701383783604feb6d54d66724805d9cb1607

SHA256
d9c467474fee33a6d74c9ec4af9b657099c92d9858f40077a18e5eeb73299e8a

SHA512
fa2c53b886da6e02ea17d2c18c2922355f9fa40cb80c4929c9d5fd3259c87897db58b91067c5dbed85b2cc0f1e79c76f417f23f86c2c3fbd07a21b3aed8b4b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\ru\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
a0c3f4f5d9a970e2e7859fe81ad1fcce

SHA1
c5084fe347dba5826e1a8371f1b83c5e25ac7e82

SHA256
4265a4010ea2fa79897333d8dbb0b4229d2d9aedeeb45fc47719d0b31355f480

SHA512
711220a3e0cab099af51887dd6fabcf22d5b8e102c6771d2d173a04a8fa22ea7752817e5554057a49d5681129604d94de95a5c2855f8dd674a2678d56eac69b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\ru\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
6effdf3ec235f8cb47fe60d2411aa4f7

SHA1
5f45e5bea504c7fc8ddf1f0b4f46521587664c13

SHA256
a8df9c9bbd182ca5768ff09d2da6b93553cc51b7b30dff059623ab70aecf6c13

SHA512
4848946145a7cd7298b2581808a275da8d6cb4709d295b5ce0ce527a1239efe9152789ace5d199e740b628f0b826ad68f855b930ec766f2d6d2f897a806bbe9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\sv\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
9KB

MD5
f733fcbdffe36b8e3c5e02af14d6d458

SHA1
55301694f0a4732e35bf8d1043f1318630c54057

SHA256
078047942ef77eba4bbda2a5f22d572b82a86f7060589aace64cb0c187d3942e

SHA512
2dcb6f72f2cc4daf095bd63e6741fb0a52dc01196197beed0cecc636f1dc91d076e0c8b3e5398172e6bfb6c470e1a244dcc90b631fe6528cd4ae9d000c76697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\sv\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
70ec0ce469c5175fb389e79ab173f939

SHA1
0fa1741b6b51204dd343888d4f30a209a267aa49

SHA256
7f5de0bdc24fa57c8beb1ff297b42c043c1cdc31e228ceb89c3cca742efd02d0

SHA512
20425b03454757272b90d731b138c2d9c0609bb134f3ca3f9872d098c300fa2b854d2b850cc52a24ba89eb3b00089b709adb7586055ee9226a38efd6100390e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\tr\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
10KB

MD5
aace67685fd7644169aa26477abda8a9

SHA1
9bda66c81dfac4dc76efe52abb5d4e34438216f6

SHA256
0d4b98dd368ca2389d75d69e9e006c9e88564dbffcfc2216d3fab87c99785db4

SHA512
d31f2f991450668418ffca28958079c4237b5588c3a62d52225d1faeb0d10e6a5e89ad33e997977f083016219cdfe2ed45a735fcfc9b9babef4c2ac824e03205

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\tr\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
716B

MD5
533727a45fa51712d97323388b4615ad

SHA1
6466834aa6605826b9136722d83d5a90b4364069

SHA256
a98f4ab1300f690662549e2d41edbca1cb1e419abe7e18ae60ff6dd292fe9ac5

SHA512
9221009fae3622bd658d24d39ac10cca61c4e91022af8bdf3cf6e7c1311be0548b09ed27d420e1ca20daa13e62835990f620430e050c09e09f25008e42902ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
9KB

MD5
d11238d12633e7ef9698a3c0780e8ebb

SHA1
6057cd2b0fd283a99ce0589a1a5913468743e1e2

SHA256
42570851b0a73df1a810133e5ce9b396ca820d8000f0d2fd24862ba5c1da1e63

SHA512
a052b578e6c130c7319493488b68b804b73ecc88b12aa6620093a18233a054e91e1e90e1736be53bb74c1829e7229af3a128f9557c1a6792b165d08c5fede45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
719B

MD5
fe0eba9b488fdb720494b9b37410b27e

SHA1
ed996471a145391eb6b8a606c7498a836c3aedc6

SHA256
f730919b358e5616b7f87c471e850c57c5adc31cf5b8638066225710ec03ab9e

SHA512
7634a860cf7d8949ce012c38ccfe554692ebd821526094f27fc9729c7fa55fe86ef395b42ebc2b1e02ae057db6d2791f124339eae4d75ba9ef7662953f499ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

Filesize
9KB

MD5
b7a183a68c0ffd49074da859ccd79d1e

SHA1
d13f2ad7b6025175bc0473a6533e035fd697e1b5

SHA256
c845e45ecaf2d9852f80a7f56fede5eb33b70d2cbcd6c0bcccf5bc8d2b576336

SHA512
eeb149b81ed7f42829143f3080649d0fcb802e06c51ea21bc94d6fb94fa39efd0ebef46551564ccbfaef08a10442141f7573782e52380682bd4bdd9a9c3834d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\44N847GQ.OK4\XON1VQWT.GJC\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll.genman

Filesize
721B

MD5
5519fb03dffc417e7210b91355afe51d

SHA1
6eaf73c2f84c45eea05686aec7a01772def124fd

SHA256
f0a7073c44bc1e5756ae6da17678be55ec70f2124dc14084a319719731eeb7f4

SHA512
e08e675a713a55f559942e59482d758ccb1c4eb5e36fec81c30bc08e5bc3c90e1233438ec24bcca163ebc43fc0b194b211e32e3cf4890d45c25295e5a5d2fa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\6L5VW5GT.9XJ\K97ZYWOO.8ZE.application

Filesize
5KB

MD5
7bb1643fe5c84c99f091fdd51730c5f0

SHA1
d90d188556c47d78568f45c91cf957dacf62a422

SHA256
ec2d5639daec5d9851d5cd53c7aa02323a4fae25d04d540e4bf7913e296b4509

SHA512
88c55f20576a0b17ea294b5ae9513741a0ea949df69ec069336eb394036b3b2ff363fff315bcba93c757f944bcefa65faf951d7edda87a74305cf7aa9d235e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebvt3lyo.kv1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\npvavqjt.s0s

Filesize
80B

MD5
8f46c50448e83d7e286be1cce3f6a325

SHA1
def1dbdceecab6a4c385b9fdbdf612b0fb029f3a

SHA256
e5a5085ee103082af4ed08a245ebab5b2cff3362de6cf0a9a0e710b14567aa35

SHA512
d7c4590f10351ad0b4768272dbe0943de399fd1c6f9275949eefae63dbcea434cb3603336732f1dfe27b391ddb43473630b9a6ba6d8f7e73df5312eef721d89f

Download Submit
C:\Windows\servicing\Editions\sqbsjyr2.s0s

Filesize
23KB

MD5
e21ec7d8007a6183d064069438298ac9

SHA1
7a772fec0d9e66a105bef8b75c169df505b736f2

SHA256
0498dcc907a3424664b606a39b53babc83fbf77f326fc9514a7ac9a44d48d7e3

SHA512
a9d386e968587b7dacebecf8d9fa1bce1e03b79efb911a7af2ab0555928b1581fe847f02c432baeb4988dfa3bf3da7485ce6924bafe42e3812ecc6aa16860494

Download Submit
memory/1444-514-0x0000000005640000-0x0000000005698000-memory.dmp

Filesize
352KB

Download
memory/1444-513-0x0000000000B70000-0x0000000000BB4000-memory.dmp

Filesize
272KB

Download
memory/2628-581-0x0000000006360000-0x0000000006404000-memory.dmp

Filesize
656KB

Download
memory/2628-571-0x0000000005310000-0x000000000535C000-memory.dmp

Filesize
304KB

Download
memory/2628-567-0x0000000004E30000-0x0000000005187000-memory.dmp

Filesize
3.3MB

Download
memory/2628-572-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/2628-582-0x0000000006830000-0x0000000006841000-memory.dmp

Filesize
68KB

Download
memory/2628-583-0x0000000006870000-0x0000000006885000-memory.dmp

Filesize
84KB

Download
memory/4092-547-0x0000000007300000-0x000000000730A000-memory.dmp

Filesize
40KB

Download
memory/4092-534-0x000000006FD60000-0x000000006FDAC000-memory.dmp

Filesize
304KB

Download
memory/4092-553-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/4092-552-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/4092-551-0x00000000074D0000-0x00000000074E5000-memory.dmp

Filesize
84KB

Download
memory/4092-550-0x00000000074C0000-0x00000000074CE000-memory.dmp

Filesize
56KB

Download
memory/4092-549-0x0000000007490000-0x00000000074A1000-memory.dmp

Filesize
68KB

Download
memory/4092-548-0x0000000007510000-0x00000000075A6000-memory.dmp

Filesize
600KB

Download
memory/4092-545-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download
memory/4092-546-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/4092-516-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download
memory/4092-517-0x00000000052D0000-0x00000000058FA000-memory.dmp

Filesize
6.2MB

Download
memory/4092-518-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/4092-544-0x0000000007140000-0x00000000071E4000-memory.dmp

Filesize
656KB

Download
memory/4092-519-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/4092-520-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4092-543-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

Filesize
120KB

Download
memory/4092-530-0x0000000005A50000-0x0000000005DA7000-memory.dmp

Filesize
3.3MB

Download
memory/4092-531-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/4092-532-0x0000000005FE0000-0x000000000602C000-memory.dmp

Filesize
304KB

Download
memory/4092-533-0x0000000006F00000-0x0000000006F34000-memory.dmp

Filesize
208KB

Download
memory/4816-12-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

Filesize
10.8MB

Download
memory/4816-31-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-25-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-558-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

Filesize
10.8MB

Download
memory/4816-19-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

Filesize
10.8MB

Download
memory/4816-49-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-1-0x00007FFAD4073000-0x00007FFAD4075000-memory.dmp

Filesize
8KB

Download
memory/4816-2-0x000001F650960000-0x000001F650AE8000-memory.dmp

Filesize
1.5MB

Download
memory/4816-4-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

Filesize
10.8MB

Download
memory/4816-7-0x000001F651D70000-0x000001F651DC0000-memory.dmp

Filesize
320KB

Download
memory/4816-37-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-529-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

Filesize
10.8MB

Download
memory/4816-43-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-54-0x000001F6534F0000-0x000001F653534000-memory.dmp

Filesize
272KB

Download
memory/4816-67-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-73-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-61-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-0-0x000001F6363C0000-0x000001F6363C8000-memory.dmp

Filesize
32KB

Download
memory/4816-79-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-85-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download
memory/4816-91-0x000001F651F60000-0x000001F651F68000-memory.dmp

Filesize
32KB

Download