3eb17d6339fbc7aee72f05936cef737692f7d96a8ba15970b9da3a998a9f3887

Resubmissions

01-07-2024 04:15

240701-evn2dsyhpp 7

01-07-2024 04:14

240701-etv4bawclc 7

Analysis

max time kernel
256s
max time network
257s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stardock Start11 v2.0.7.4 - HaxPC.net.rar
Size

50.4MB
MD5

4e5147ecb92436c973fa8dc95fda2dfd
SHA1

fded7b375eb7c1a687f9ecf82dca2dde82c7ef67
SHA256

3eb17d6339fbc7aee72f05936cef737692f7d96a8ba15970b9da3a998a9f3887
SHA512

3001b43d35b86fd4653cdb1ab2380f04688979c2118851c0c0ed325d1b717810494b79a30b594e3b65f3030b1330222e218e1112f257317761e4dd11873d3adf
SSDEEP

1572864:kxftmqJM7A9Ey/Hrhj1Po1DhW7bs5tbbsOH4PB3:kh67wh/HrhjFUW/IbC3

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 29 IoCs

Processes:

Start11v2-setup.exeirsetup.exeGetMachineSID.exeStart11Srv.exeStart11Srv.exeStart11_64.exeStart11_64.exeStart11Config.exeStart11Config.exeSdDisplay.exeStart11Config.exex64-patch.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exeStart11Config.exeSdDisplay.exe

pid	process
3680	Start11v2-setup.exe
1176	irsetup.exe
2592	GetMachineSID.exe
4484	Start11Srv.exe
2072	Start11Srv.exe
5016	Start11_64.exe
4200	Start11_64.exe
2528	Start11Config.exe
4872	Start11Config.exe
3708	SdDisplay.exe
1384	Start11Config.exe
4664	x64-patch.exe
388	movefile.exe
1948	movefile.exe
4904	movefile.exe
1160	movefile.exe
408	movefile.exe
3728	movefile.exe
3888	movefile.exe
1584	movefile.exe
2012	movefile.exe
1396	movefile.exe
1164	movefile.exe
4352	movefile.exe
1844	movefile.exe
4780	movefile.exe
3412
1896	Start11Config.exe
1836	SdDisplay.exe

Loads dropped DLL 28 IoCs

Processes:

irsetup.exeStart11_64.exeStart11_64.exeStart11Config.exeStart11Config.exeSdDisplay.exeregsvr32.exeregsvr32.exeStart11Config.exe7zFM.exex64-patch.exeStart11Config.exeSdDisplay.exe

pid	process
1176	irsetup.exe
1176	irsetup.exe
4200	Start11_64.exe
5016	Start11_64.exe
2528	Start11Config.exe
3240
4872	Start11Config.exe
4872	Start11Config.exe
3708	SdDisplay.exe
3708	SdDisplay.exe
3708	SdDisplay.exe
1340	regsvr32.exe
3040	regsvr32.exe
3040	regsvr32.exe
1384	Start11Config.exe
3876	7zFM.exe
240
4664	x64-patch.exe
4664	x64-patch.exe
1744
568
4192
3240
1032
1896	Start11Config.exe
1836	SdDisplay.exe
1836	SdDisplay.exe
1836	SdDisplay.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1176-35-0x0000000000190000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/1176-97-0x0000000000190000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/1176-361-0x0000000000190000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/1176-333-0x0000000000190000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/1176-811-0x0000000000190000-0x0000000000578000-memory.dmp	upx
behavioral1/memory/1176-837-0x0000000000190000-0x0000000000578000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

irsetup.exex64-patch.execmd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Stardock\Start11\defs.ini	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\24.lnk	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\8.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Start11.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-13.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\4.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Start10.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\lang\ru.lng	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Start2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Start11_64.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-21.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\start10_A64.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\SasUpgrade.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Metal Grid_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Metallic_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Rusty Metal Grid_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Grunge Stone 01_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-20.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\start10_64.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Links\31.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Element Large.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Leather_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\S11Search.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-02.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-21.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Small Angle Stripes_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Corroded_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Marble_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Stardock.ApplicationServices.dll.todo.BAK	x64-patch.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\pl.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\start10_64.dll.todo	cmd.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Start6.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\PinMenu.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\SdAppServices.dll.todo	cmd.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\22.lnk	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Jeans_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Dark Wood_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-08.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\SdAppServices.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-11.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\start10_32.dll.todo.BAK	x64-patch.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-16.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\SdAppServices.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\lang\en.lng	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Sonar.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\movefile.exe	x64-patch.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-11.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\start10_64.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Fabric_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Taskbar Grid 03 Mono.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-18.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-24.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Start11_A64.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Uninstall\uni7C50.tmp	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe.config	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Echo.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Metal Grid_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Metallic_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-15.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Rust_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Start11_64.exe	irsetup.exe

Drops file in Windows directory 4 IoCs

Processes:

x64-patch.exe

description	ioc	process
File opened for modification	C:\Windows\wontrust.dll	x64-patch.exe
File created	C:\Windows\womtrust.dll	x64-patch.exe
File opened for modification	C:\Windows\womtrust.dll	x64-patch.exe
File created	C:\Windows\wontrust.dll	x64-patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3788 3708 WerFault.exe SdDisplay.exe
776 1836 WerFault.exe SdDisplay.exe

pid	pid_target	process	target process
3788	3708	WerFault.exe	SdDisplay.exe
776	1836	WerFault.exe	SdDisplay.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

SdDisplay.exeSdDisplay.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe

Modifies registry class 64 IoCs

Processes:

x64-patch.exeOpenWith.exeStart11Config.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	x64-patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	x64-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	x64-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	x64-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	x64-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell	Start11Config.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	x64-patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\open	Start11Config.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	x64-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	x64-patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	x64-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	x64-patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	x64-patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	x64-patch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	x64-patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000a8588e7a110050524f4752417e310000740009000400efbec5525961a8588e7a2e0000003f0000000000010000000000000000004a00000000002c1dfd00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	x64-patch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\open\command\ = "\"C:\\Program Files (x86)\\Stardock\\Start11\\ExtractS8Theme.exe\" \"%1\""	Start11Config.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "5"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	x64-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	x64-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Start11Config.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SdDisplay.exeSdDisplay.exe

pid process

3708 SdDisplay.exe
3708 SdDisplay.exe
3708 SdDisplay.exe
1836 SdDisplay.exe
1836 SdDisplay.exe
1836 SdDisplay.exe
Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

OpenWith.exeStart11Config.exex64-patch.exeStart11Config.exe

pid process

4720 OpenWith.exe
4872 Start11Config.exe
4664 x64-patch.exe
1896 Start11Config.exe

pid	process
3708	SdDisplay.exe
3708	SdDisplay.exe
3708	SdDisplay.exe
1836	SdDisplay.exe
1836	SdDisplay.exe
1836	SdDisplay.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7zFM.exeStart11Srv.exeSdDisplay.exeStart11_64.exeStart11_64.exe7zFM.exeSdDisplay.exe

description	pid	process
Token: SeRestorePrivilege	3156	7zFM.exe
Token: 35	3156	7zFM.exe
Token: SeSecurityPrivilege	3156	7zFM.exe
Token: 33	2072	Start11Srv.exe
Token: SeIncBasePriorityPrivilege	2072	Start11Srv.exe
Token: SeDebugPrivilege	3708	SdDisplay.exe
Token: 33	4200	Start11_64.exe
Token: SeIncBasePriorityPrivilege	4200	Start11_64.exe
Token: 33	5016	Start11_64.exe
Token: SeIncBasePriorityPrivilege	5016	Start11_64.exe
Token: SeRestorePrivilege	3876	7zFM.exe
Token: 35	3876	7zFM.exe
Token: SeSecurityPrivilege	3876	7zFM.exe
Token: SeDebugPrivilege	1836	SdDisplay.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

7zFM.exeStart11_64.exeStart11_64.exeStart11Config.exeStart11Config.exeStart11Config.exe7zFM.exeStart11Config.exe

pid	process
3156	7zFM.exe
3156	7zFM.exe
4200	Start11_64.exe
5016	Start11_64.exe
4872	Start11Config.exe
4872	Start11Config.exe
2528	Start11Config.exe
1384	Start11Config.exe
3876	7zFM.exe
3876	7zFM.exe
5016	Start11_64.exe
4200	Start11_64.exe
4200	Start11_64.exe
5016	Start11_64.exe
4200	Start11_64.exe
5016	Start11_64.exe
4200	Start11_64.exe
5016	Start11_64.exe
1896	Start11Config.exe
1896	Start11Config.exe
1896	Start11Config.exe
1896	Start11Config.exe
5016	Start11_64.exe
4200	Start11_64.exe
5016	Start11_64.exe
4200	Start11_64.exe

Suspicious use of SetWindowsHookEx 55 IoCs

Processes:

OpenWith.exeStart11v2-setup.exeirsetup.exeGetMachineSID.exeStart11_64.exeStart11_64.exeStart11Config.exeStart11Config.exeSdDisplay.exeStart11Config.exex64-patch.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exemovefile.exeStart11Config.exeSdDisplay.exe

pid	process
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
4720	OpenWith.exe
3680	Start11v2-setup.exe
1176	irsetup.exe
1176	irsetup.exe
1176	irsetup.exe
2592	GetMachineSID.exe
1176	irsetup.exe
1176	irsetup.exe
1176	irsetup.exe
5016	Start11_64.exe
4200	Start11_64.exe
5016	Start11_64.exe
2528	Start11Config.exe
2528	Start11Config.exe
4872	Start11Config.exe
4872	Start11Config.exe
4872	Start11Config.exe
3708	SdDisplay.exe
3708	SdDisplay.exe
1384	Start11Config.exe
1384	Start11Config.exe
4664	x64-patch.exe
4664	x64-patch.exe
388	movefile.exe
1948	movefile.exe
4904	movefile.exe
1160	movefile.exe
408	movefile.exe
3728	movefile.exe
3888	movefile.exe
1584	movefile.exe
2012	movefile.exe
1396	movefile.exe
1164	movefile.exe
4352	movefile.exe
1844	movefile.exe
4780	movefile.exe
1896	Start11Config.exe
1896	Start11Config.exe
1896	Start11Config.exe
1836	SdDisplay.exe
1836	SdDisplay.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exeStart11v2-setup.exeirsetup.exeStart11Srv.exeStart11Srv.exeStart11Config.exeregsvr32.exex64-patch.execmd.exe

description	pid	process	target process
PID 4720 wrote to memory of 3156	4720	OpenWith.exe	7zFM.exe
PID 4720 wrote to memory of 3156	4720	OpenWith.exe	7zFM.exe
PID 3680 wrote to memory of 1176	3680	Start11v2-setup.exe	irsetup.exe
PID 3680 wrote to memory of 1176	3680	Start11v2-setup.exe	irsetup.exe
PID 3680 wrote to memory of 1176	3680	Start11v2-setup.exe	irsetup.exe
PID 1176 wrote to memory of 4212	1176	irsetup.exe	reg.exe
PID 1176 wrote to memory of 4212	1176	irsetup.exe	reg.exe
PID 1176 wrote to memory of 4212	1176	irsetup.exe	reg.exe
PID 1176 wrote to memory of 2592	1176	irsetup.exe	GetMachineSID.exe
PID 1176 wrote to memory of 2592	1176	irsetup.exe	GetMachineSID.exe
PID 1176 wrote to memory of 2592	1176	irsetup.exe	GetMachineSID.exe
PID 1176 wrote to memory of 756	1176	irsetup.exe	cmd.exe
PID 1176 wrote to memory of 756	1176	irsetup.exe	cmd.exe
PID 1176 wrote to memory of 756	1176	irsetup.exe	cmd.exe
PID 1176 wrote to memory of 4836	1176	irsetup.exe	cmd.exe
PID 1176 wrote to memory of 4836	1176	irsetup.exe	cmd.exe
PID 1176 wrote to memory of 4836	1176	irsetup.exe	cmd.exe
PID 1176 wrote to memory of 4484	1176	irsetup.exe	Start11Srv.exe
PID 1176 wrote to memory of 4484	1176	irsetup.exe	Start11Srv.exe
PID 1176 wrote to memory of 4484	1176	irsetup.exe	Start11Srv.exe
PID 4484 wrote to memory of 5016	4484	Start11Srv.exe	Start11_64.exe
PID 4484 wrote to memory of 5016	4484	Start11Srv.exe	Start11_64.exe
PID 2072 wrote to memory of 4200	2072	Start11Srv.exe	Start11_64.exe
PID 2072 wrote to memory of 4200	2072	Start11Srv.exe	Start11_64.exe
PID 1176 wrote to memory of 2528	1176	irsetup.exe	Start11Config.exe
PID 1176 wrote to memory of 2528	1176	irsetup.exe	Start11Config.exe
PID 1176 wrote to memory of 2528	1176	irsetup.exe	Start11Config.exe
PID 4872 wrote to memory of 3708	4872	Start11Config.exe	SdDisplay.exe
PID 4872 wrote to memory of 3708	4872	Start11Config.exe	SdDisplay.exe
PID 4872 wrote to memory of 3708	4872	Start11Config.exe	SdDisplay.exe
PID 1176 wrote to memory of 1340	1176	irsetup.exe	regsvr32.exe
PID 1176 wrote to memory of 1340	1176	irsetup.exe	regsvr32.exe
PID 1176 wrote to memory of 1340	1176	irsetup.exe	regsvr32.exe
PID 1340 wrote to memory of 3040	1340	regsvr32.exe	regsvr32.exe
PID 1340 wrote to memory of 3040	1340	regsvr32.exe	regsvr32.exe
PID 1176 wrote to memory of 1384	1176	irsetup.exe	Start11Config.exe
PID 1176 wrote to memory of 1384	1176	irsetup.exe	Start11Config.exe
PID 1176 wrote to memory of 1384	1176	irsetup.exe	Start11Config.exe
PID 4664 wrote to memory of 248	4664	x64-patch.exe	cmd.exe
PID 4664 wrote to memory of 248	4664	x64-patch.exe	cmd.exe
PID 4664 wrote to memory of 4612	4664	x64-patch.exe	cmd.exe
PID 4664 wrote to memory of 4612	4664	x64-patch.exe	cmd.exe
PID 4664 wrote to memory of 2928	4664	x64-patch.exe	cmd.exe
PID 4664 wrote to memory of 2928	4664	x64-patch.exe	cmd.exe
PID 2928 wrote to memory of 388	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 388	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 388	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 1948	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 1948	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 1948	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 4904	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 4904	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 4904	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 1160	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 1160	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 1160	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 408	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 408	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 408	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 3728	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 3728	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 3728	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 3888	2928	cmd.exe	movefile.exe
PID 2928 wrote to memory of 3888	2928	cmd.exe	movefile.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Stardock Start11 v2.0.7.4 - HaxPC.net.rar"
1⤵
PID:5076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Stardock Start11 v2.0.7.4 - HaxPC.net.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3156

C:\Users\Admin\Desktop\Start11v2-setup.exe
"C:\Users\Admin\Desktop\Start11v2-setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1936418 "__IRAFN:C:\Users\Admin\Desktop\Start11v2-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2457560273-69882387-977367775-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
3⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock ModernMix.lnk" (del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock ModernMix.lnk" & echo found)
3⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock Start11.lnk" (del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock Start11.lnk" & echo found)
3⤵
PID:4836

C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe" -install
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
"C:\Program Files (x86)\Stardock\Start11\Start11_64.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" INSTALL
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll"
4⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:3040

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" FIXSEARCH
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
"C:\Program Files (x86)\Stardock\Start11\Start11_64.exe" START
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
"C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe" -prodId=2674 -ProdName="Start11" -company="Stardock" -forceUi="Welcome" -parentPid=4872 -prodVer="2.0.7.3" -ResponsePipe=1888 -ownerWnd=000F0070
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 2296
3⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3708 -ip 3708
1⤵
PID:2080

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\x64-patch.rar"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3876

C:\Users\Admin\Desktop\x64-patch.exe
"C:\Users\Admin\Desktop\x64-patch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Stardock\Start11\pointer.bat"
2⤵
PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Stardock\Start11\pre.bat"
2⤵
- Drops file in Program Files directory
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Stardock\Start11\post.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Start11Config.exe" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:388

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "SdAppServices.dll" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Stardock.ApplicationServices.dll" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Start10Shell64.dll" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Start10Shell32.dll" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:408

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "start10_64.dll" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "start10_32.dll" ""
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Start11Config.exe.todo" "Start11Config.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "SdAppServices.dll.todo" "SdAppServices.dll"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Stardock.ApplicationServices.dll.todo" "Stardock.ApplicationServices.dll"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Start10Shell64.dll.todo" "Start10Shell64.dll"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "Start10Shell32.dll.todo" "Start10Shell32.dll"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "start10_64.dll.todo" "start10_64.dll"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Program Files (x86)\Stardock\Start11\movefile.exe
movefile /accepteula "start10_32.dll.todo" "start10_32.dll"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2204

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
"C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe" -prodId=2674 -ProdName="Start11" -company="Stardock" -forceUi="Welcome" -parentPid=1896 -prodVer="2.0.7.3" -ResponsePipe=1840 -ownerWnd=0006023E
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 2284
3⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1836 -ip 1836
1⤵
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Stardock\Start11\Default.spak
Filesize
294KB

MD5
91dc5a5fa0a6b9b170ddccd64e319f0e

SHA1
9bc9a72c3d84916bb4ef35895d4d4669ae74f88f

SHA256
76944ae6f34f28cbd35df832bf474aec8694a438d508cf6f45725a02f32b3bdb

SHA512
9b1f79424f45b6152e45f3994b77e2e60618dd074104d07037c35c7ed9e96fa7747253097965f14f66411af440b2648a5ea2dec10ab8bc2a0d7fe3a06a4e6cf9

Download Submit
C:\Program Files (x86)\Stardock\Start11\Lang\en-US.lng
Filesize
112KB

MD5
a3be220e39e619e45133301c93629209

SHA1
be162ab451b44489573fd971de794e812306a091

SHA256
d33276820065e330b758282a6a5328e87d3db870dbc3a6c702897f75b99f8646

SHA512
eaeb4c46eadf4da085a2671fbd802b03bb5844c8e5d8926bede9f56d65fedafe2b9272d6c9806f94dd5d91489dd3ca4c52e08665db611c2eb99ebdf4819d643f

Download Submit
C:\Program Files (x86)\Stardock\Start11\PinLaunch.exe
Filesize
253KB

MD5
e1c1d962824ecf764806166644e4911b

SHA1
d895f81608a01023df27e4bfda228341997f7244

SHA256
351312eb20abf40983ac6bba7a33766355e7b3d4f5ea0e173fd537cb910b900a

SHA512
8c8868d569d381f4927431b582ef0adb301ab12f7aae782f629508a1ce3c44027315799c374cfcd274d0229c3a319af4e0dfb7ead86a794e80ac3208cbf9ba12

Download Submit
C:\Program Files (x86)\Stardock\Start11\PinMenu.exe
Filesize
253KB

MD5
e704c5d11852cb776d950444c01e659b

SHA1
00fb5ea2cb4717f9e35cc6cd82f5d345d6192646

SHA256
9ca4b38151db0e233d01a458a75abdc421a799823faa3d488d5a036b50b011cd

SHA512
952c25a2b0b9a4d51f9525f9fe7ed8d40c8d00ac48afcdc60eb228bfe2b25a45e3f351ec06cb85e4e8c54f223c32b0e6e0789fc1134b80d2992aff844c0c2a76

Download Submit
C:\Program Files (x86)\Stardock\Start11\S11Search.exe
Filesize
138KB

MD5
def5fe3a48b2bebb5d0bc4ffa4e68c8c

SHA1
fdfd31a5c27ae9e163e5400e0efefbbffdc1edee

SHA256
83f01e9fa92a596f1eb5665d0e1dbc94f2b97baa1d1e9f3d96607a6252e5fbdf

SHA512
ce98f707ec1a5fe41171a29b8c57f477783ec2b2bb7a04d2cf62e946179fe51b01cdad12211cfd93d11f229d2ce08ea0c99788f168fa2bb2b4a8539548c16245

Download Submit
C:\Program Files (x86)\Stardock\Start11\S11Search64.exe
Filesize
178KB

MD5
babbd30ce081bee9a63b399cd2ef9be0

SHA1
5fc81ad3e5437c30949cec375b6fe5d25a5aba4d

SHA256
26c86b920c6f5837078f3eca3a51b5b23563ebb763f7605531c3fc4a8cb2c5f4

SHA512
158d493e2967ecb6ff1a9603886166554c668407f83ad665e043453a1ce9c087473e40055c7c129de4fe02f1107accfb363753bfa322c82a8bd8a76679991980

Download Submit
C:\Program Files (x86)\Stardock\Start11\SdAppServices.dll
Filesize
1.1MB

MD5
05729ae3458afda2b8f83f32949124c5

SHA1
0fa53d88a6536584103e3a82458ecfb32cc7e3c5

SHA256
7bcfba525f923d68bb28601c30e94398110106de628354a889d0d22556b5c79a

SHA512
f1e71054660c894e0389cc1cd3b1c05f633810253d1adde00a6ed7c3ab698f759c3f7020652c91a7be9ed2d3541cf19d3da4c7170f7d9694753d599c3dd456fc

Download Submit
C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
Filesize
74KB

MD5
1955296e2b0f62434e0bd4f43758e680

SHA1
09a8c71b907ae32f5969455ba9ae7ddab9d1f00c

SHA256
fded6d79bb53aa415ec73289f198b00d59adbac536fd63f5cd99ecbdd3a7889d

SHA512
1f6f52ee7c965139332721629260b1548d02ccf45bb86bff32d555ac110f3f17b30469e7445378588a9ceb8bfaec073e04d557a7c1438ddc52f5e20316751497

Download Submit
C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe.config
Filesize
312B

MD5
285a4b35c0f55ed5c23214ae737889a4

SHA1
cfefb1722158720c9c2b54457af2b351695e29b6

SHA256
e0ae71b7dc3e1e989d86764fdab0f50f0824d18f05e2cac3043f9f1d0cbfba2e

SHA512
a8529ee2dbe04bfc88fe25bf1990da5603271460a2c8a85e237e1ea113c83196e45e62baecce0e9c774b8be3779c3aff63526e039129c23debc2b21f3ab1c327

Download Submit
C:\Program Files (x86)\Stardock\Start11\Stardock.ApplicationServices.dll
Filesize
39KB

MD5
8ad0e302a6896b471a53f2926b27c1a6

SHA1
3ff58157d71d6e18195aa1ea927c7e6624a71d3d

SHA256
22513bdee688fc8e9e7b3f50c0e2059acb73a4e21a6ab1a9a0e6dccaf6f39247

SHA512
cd0ffc94b4e18fdc44c3c88a275d2f5d248ff5de6d01eb45fbd03851cf683f1a085a8cf75f246ac0047acd40c810fd7465c6069e42a8546200bb12a982b1fe84

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10.exe
Filesize
329KB

MD5
3e9994b595f6bffec24ed705398ea2fb

SHA1
01307767dcd1ba3ceab55c69e3e13d569ba1a202

SHA256
02dc0a089946622f72e685dfa24f3530f28cf62f342b2e82a7e0bfab7013c114

SHA512
d9fbce892cc0f848293c927c62085aa43b51e23eb82b03c41a8f4c95dda5e949e5a9a14934fa61723f49bf411d4391a2c45666c3c7b8a508055a3be55d269c63

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10Shell32.dll
Filesize
155KB

MD5
cd8ad09f0d42a8e8c5922ff6c93d7d63

SHA1
66e49537f1234c4243ca0faebb7ce0fd71841731

SHA256
6c1df718f996f2310ff04867e14bbfc1be19b5cf48783d9ebf42cc5e1bcf1251

SHA512
cd61aa3dc932d7c42691629b55c212bd335296c03f922dfbac3b669d412bd03807b60eb80cd37b65d84e1db0dd00bdcd5c9b0bc1862e3fcaed0bc99ea5e5567f

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll
Filesize
195KB

MD5
59daa54e0f5401541bbb2ee0aabb950e

SHA1
0a0452f9ef2f4be99010e496c94a57659694b7fe

SHA256
e2dc00de1303726eb70c9f719efaea948ccf24edc76bf0ada1362343c0ae1887

SHA512
e1b5ce8f62f7b9e1d43788b6d9f12677ee70b4d97f2c8499240ba3018ea2d8f81cf4efc9232016a41da2e3900ad1769a05e9ffe26de718afe652b27a13f81d04

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10_32.dll
Filesize
2.5MB

MD5
9f37c74e33a70a4005f6462ee38f691e

SHA1
d0e73fd7487e5f200aafff700ef1e6ea9ef0e79a

SHA256
a6678cf1123219937856ebec7ecdaabcc0bc9431c713933cb14146b57bc22608

SHA512
ffacca627c497516b007aecb553b2441afe4a3bde475ecb2607648b217aafadde6e91f4ee5aca78791d0d96f77fa1c474967c72ce8f21fb9573e9503f8443873

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10_A64.dll
Filesize
3.6MB

MD5
cee595ef8e3603338485582266682399

SHA1
e671250bf7879cc2b0d74d5772307f44bb5d8132

SHA256
6318f91fb51d6384c190402a50d504e117c2086d10067dac023ef06c3b046425

SHA512
3212900cd2ffc76ed5034f2818ad9a7a8e1d5951a4a98615e7161a888efb94dd6e4bcdf7b34fff16d6b728230a027da1261dcfa221c096dce21861e84010ba3d

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10tweak.exe.todo.BAK
Filesize
2.4MB

MD5
35bc361cf9ddab613fc3d9ca6dab6541

SHA1
35ba9a50a1a2f3fadc563f778dafad8f7658f4e5

SHA256
529f637190b3eb8dc94e00de0056479a907c8f431b5c9888a488ba351fd7bb0a

SHA512
9acc88dba5be017f4760d6e7724e1dc55c0e7a00b44d44fa75d3e84a14fad8d5f19e57d3af67cc4a0796f12a38f808a43ed82d2a6003452988f4510190e4bfb4

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11.exe
Filesize
332KB

MD5
0d905bdf98a16dc6662c5b117e213e06

SHA1
12342c7bf296e027fcc9b61778880767c4bc4c72

SHA256
9cafbcc00ebc8860c3e9c2e0a278b24ae5205e8c36745e6ce377fa680afaa72d

SHA512
832ff7575e9bb44d6cfc9e497ae2fe9cb9b916459af7aeba98a1fdfed8bcccf517b178dcd8ab6b09f0c6e054628d2e36095ff3a18bf9165dd685d02e4a582286

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
Filesize
10.2MB

MD5
e9e5b1f20adab1332053390ce5dfa67a

SHA1
fa9d9def87b23ee29aa437094f2b0db2b6ec8a74

SHA256
65f59237788a062dddae78524a014aec14e933a832adfd79eec8c460600d3299

SHA512
c2a9aabc2bdccacf976b3afd200681c99f99f546976d3b035af9db8155bb7891b175cd7e59566a6c708127e04ca71dac2bb87d6392d0ef30b0028f76cdeb139a

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
Filesize
265KB

MD5
f70fbcc9916e38d414157a0deab1c4ef

SHA1
e7da005c8fbc1d309b28902cd2fa3d11022f42bf

SHA256
915737d623601c90fb63745a2ce2086b0b6c9551ff3e4b0156d705d8452cb95b

SHA512
50ca193c257a4c2b47d024cd9a002473aa69b64378097677b1265d456716292aa8d27d780082227aef2629970f11de3c4bd5d2c5073fe3c25972d06ecf5b52ed

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
Filesize
365KB

MD5
46c398c5e82a61580b00b1aa8cc268f0

SHA1
b4d77f62a166521a791ac819d5f15b36089736b5

SHA256
0edd8851ef648039d36f3669bbfdcaee1ef1e45048b224af7f0358758db4604f

SHA512
0ff323d3d6b8eaa699a808991ded23bf572c844cad11fa987d20f482cfcd6fa21c41724484b1b5f7c3c42e1b6181add58a29966dea1726d3eb2febb7d3abc2dc

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11_A64.exe
Filesize
382KB

MD5
1ad990f26a923a418f0b03dcac0f964b

SHA1
337ae25698287fc151959ca727fd9f89b7bec7c8

SHA256
4690afc0120f278ef47db782ecb8d0f70426157a91a2c8dc8a8246f5fc57a926

SHA512
5438bff71b7e3fc117e3b60482062f5b85b798aa1407441a82a7c8ed4b5d894d5f53c8c410e53a56655a25fa5965affad44a66cbaad92ebaad45df75086c09e6

Download Submit
C:\Program Files (x86)\Stardock\Start11\Uninstall\uninstall.xml
Filesize
71KB

MD5
6d043e93353b2faf1aa83f50b1939e5f

SHA1
572acacdaf161838b5087472ea85894973932819

SHA256
f4e819a2d193ebeda545ffa8efbd6361323da3d88417e92442cb5f2d5feae9fa

SHA512
891674a75867e37616a96df4eff010e59670cb51000d13c4316f2d40fc0d161e35a0b880c92a7bdd397819248652d50f9a8a1209996bb80b8b1dc8a699bcee60

Download Submit
C:\Program Files (x86)\Stardock\Start11\Uninstall\uninstall.xml
Filesize
71KB

MD5
d86c71d430f70b2de3b3d2a9a5d8fa3d

SHA1
5af188d8e91f3467e6acca209ed0923e64a581ee

SHA256
657a03c5c0ad9c6bba0a0d8bee1139c1494e77f09509ff1b1b8e986e368d7cfc

SHA512
d050074673067fc15ea13baeb4b7880f7bacb6e0d28234afd89446bb4923bcf839d8322e0e5dfddbeab1ba0d39f678878fbae105e50c15bfba5174cd3e235deb

Download Submit
C:\Program Files (x86)\Stardock\Start11\mrmsupport.dll
Filesize
714KB

MD5
d3834ce63c831d6e814fcb4a789dc406

SHA1
c4073fb3505e0122643ff145db92b8adc805c452

SHA256
91002e79bd80c28d79ac3fcd7d73b10caa2888b23d18071a3321f731561bd227

SHA512
b082f0818d309cd07ce069f689ee2d0239b53686571d44ac8c7f43cbfaa495d9ace0d2ab4c593ebee3d6f25fb64d809b11090fa2d4d86400d2331ab203bd41c5

Download Submit
C:\Program Files (x86)\Stardock\Start11\start10_64.dll
Filesize
3.5MB

MD5
89bb5f2161cf45e8a25dd366093a5832

SHA1
079b1696e6a793d4a32f71287bc0b22d5bf75acc

SHA256
7351ce1cc8e4213937de1380a1ed2893eb01abd5fa7445fb4fffd18e211066ca

SHA512
9fd4bf20fc71c7ab7c539d7c4245da6dc4a09a019210d3178a8d191e08c8bfab3bb58d727922c07d88817d83b7c960015fb52c5a01777623109594c1ca722196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
93297b5f9c46d18b85caea68301a4b22

SHA1
5a974cda2b7981bbd48d4a37961cbd0eabebc626

SHA256
8b6cf1a1b0de623c8bddc4aeb17763ef1279bbf2b1ca7ca8d8a36af6c6ecd51d

SHA512
47c06dcf49421ee2324faa26916ad7076515bd5f9589b52feb6afa77553589ae138285ed9a975b68602a82a518b8b77404f287d85a85683cf3901109f50f165e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
92141c72cbcf82f63caf5d526b7f50e5

SHA1
fdc5649af80157f1f71d8b30ef2683c6d1ea0a48

SHA256
a7373746be6bd89fb7e4b590875b63cc801f8bf5cad4e527d6d76bd4569383b5

SHA512
e121a0f800ba7336931580ec3f4c9173749d932947958f9a988a3722d340d5d6a7870347d792ce45118ffaa452bf18cfa48aca5240240a25040b092cc1c4f318

Download Submit
C:\Users\Admin\AppData\Local\Stardock\Start11\SasLog.txt
Filesize
622B

MD5
2ba2fa0ccff6214003cd55aa5126a41e

SHA1
20b77f7c37848d70df2b0ace60ac22ead0183837

SHA256
c64f72e3f3c619c10bc280f424ea9349436795c7ef3a79704d7796f65a876189

SHA512
4b67d555d86522ecb76aae462f5086670aa6740a57e66d665633f66932dc6a9a3c3c719fcf467812009443bcfb1c90ff28edf4ec8a86ae1f2ad2a3fbf57951f5

Download Submit
C:\Users\Admin\AppData\Local\Stardock\Start11\SasLog.txt
Filesize
946B

MD5
16f5f47f98fd5a7329c457164ba4e7c7

SHA1
a58ac46be067579c29a7054f2657f264d9956e4e

SHA256
ee970470f139107b795b9063215108bd5c5aa38d3d14987189edda75e5b85d14

SHA512
6ba4ec14867561b15c4e473e7a93bda7dceb1e44aaa8008597d4b7bc10d9fed3ea9890cd14c30d787aa20a0433ceebe0261bc0b4d2bf18f500097840ffb7bb47

Download Submit
C:\Users\Admin\AppData\Local\Stardock\Start11\SasLog.txt
Filesize
1KB

MD5
ce878d90cb368d106bc137e36a8b9261

SHA1
c2c2311191a1e8c5061ff18eba3ad29177eb8280

SHA256
72addddbab38bf38aaf7a8c01837895b36c6a164e4dc0dd6d882887d2c8bbbab

SHA512
e513808c5e5d8ba1c47639c99e77e8e2c307f3c4c9ffeaca5d6fee7ad5e53aadd53575d4de1c36049fc90689ac2d3a4dcf885717490b21019b289837cba23b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start11 Setup Log.txt
Filesize
86KB

MD5
212398c92a34c8fc188f636b4841c850

SHA1
6d8800579e1095a6dd918f7bc2fccdce4cab5d52

SHA256
0243a85b084cba75fd42ba685657ed97a2178094f736c9fab9384c4996f9fb12

SHA512
7e28066e75594d3162d43c6a6538fb9fe61876180a766b0478012d8c4a50f2adceaa82dbbe11fc0e8fef1761e64fdff771b83e83f84fddec483c6baac5832667

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd
Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
Filesize
38B

MD5
1c4178061a12982cabcc138557f6cf2c

SHA1
d9e7b3726645fa0aa560ca2a6f7351d43a515d8d

SHA256
f33f35abcc71166a718a8a54df3e3da4dc901d959330f639baf0c2bc0c27588b

SHA512
44a7250720e124081d34a91748d629568e90ad4d7e80309e34380356ae7f6b74cc90372618a1a99e59f6b8050e363f606196b734b643a4f7d9b4b330bf20cd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\eula.txt
Filesize
22KB

MD5
1f286ee31c288e8aae5200acc5b519b4

SHA1
fe76c325ca8a55e5354021b416ffe3b78c625fd9

SHA256
2896108090c277cbdb24b5fa6c87e6aa77bf4ed986f4b3ae4da0720c8de61ed2

SHA512
45062a327efcd0fe051940b950388ff58f5363a128c43b85fac3c9352b918707accaafa346292d62fe6f02be6d0366eade2954fb867fa48b3a50b510d72c12c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll
Filesize
376KB

MD5
97f79f421c5144b9041eb3efe76efed3

SHA1
f729c6b9b2bda0742932c8fbef649602982b6c44

SHA256
79b4dd81c91a865be6d1df29ad4b1baa838a90c2e77ab8c211ff25c74dc449e2

SHA512
4394b8130a2411e71f881139efed807370862217eb8bad50adb20d9a75ac7b5285301b7a24b0ed6b61d69a0c44f6e1835cc1d2808285dec204983177b2896bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\registry_export.txt
Filesize
474B

MD5
c6247e9f51d328f2d7d1bcf2dde15ae9

SHA1
66428b3d3a9789b980c7a820fb72ffb31e200f8b

SHA256
8540a5e828472342d208efce8a59cb130f735331eaaac4dda3a5ba8b4dbc17fd

SHA512
e093d2d3c1826afcac9158e9b5c98faa03c3a1d5642ea4f97cd93a8755d3f5be594651f3c9fbddd4df07850c13158fc84bc7541ebb84a501086f3916244523fc

Download Submit
C:\Users\Admin\Desktop\x64-patch.exe
Filesize
382KB

MD5
285725090ae7cf7c17264fb1d9810fe0

SHA1
506efffe9f682c067e307f995c2f5e112e0b2c3c

SHA256
ccbe694ce564c5c8bbcd6922693c7001dd774381ece53ca3f787ec652f32a64b

SHA512
0cd3e96a8389874a324a8a045fc570f7ecb834ea4ad92219e989bcb828def28ffcce259696f39248101d8782dbf0456d12f2e0c905b3b422d1a88b99bec8f08b

Download Submit
C:\Users\Admin\Desktop\x64-patch.rar
Filesize
377KB

MD5
9ab24cbcdd4957c122cf4d2a9397995f

SHA1
2411c5531fe8d4dbcabc447c72f523e64bd1b4d3

SHA256
e072f8a9215e573f82010f6341b4a9924525ffeb048aab70b46d001cdca6537f

SHA512
2f0e99b88242933eb9eeedb49c0d0767a1ead1cd40d64e9993e50e63de9bf2c7731e973c7b5afcebf9762cf99a50bcc5df28841c57b8d3fcc8a917bf3a5d472f

Download Submit
memory/1176-35-0x0000000000190000-0x0000000000578000-memory.dmp

Filesize
3.9MB

Download
memory/1176-67-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/1176-333-0x0000000000190000-0x0000000000578000-memory.dmp

Filesize
3.9MB

Download
memory/1176-97-0x0000000000190000-0x0000000000578000-memory.dmp

Filesize
3.9MB

Download
memory/1176-361-0x0000000000190000-0x0000000000578000-memory.dmp

Filesize
3.9MB

Download
memory/1176-341-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/1176-837-0x0000000000190000-0x0000000000578000-memory.dmp

Filesize
3.9MB

Download
memory/1176-811-0x0000000000190000-0x0000000000578000-memory.dmp

Filesize
3.9MB

Download
memory/1176-98-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/3708-807-0x0000000005FF0000-0x0000000006082000-memory.dmp

Filesize
584KB

Download
memory/3708-810-0x0000000009B40000-0x000000000A06C000-memory.dmp

Filesize
5.2MB

Download
memory/3708-809-0x0000000009390000-0x0000000009B36000-memory.dmp

Filesize
7.6MB

Download
memory/3708-808-0x0000000005FD0000-0x0000000005FDA000-memory.dmp

Filesize
40KB

Download
memory/3708-797-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

Filesize
80KB

Download
memory/3708-802-0x0000000006300000-0x00000000068A6000-memory.dmp

Filesize
5.6MB

Download
memory/3708-801-0x00000000032B0000-0x00000000032BE000-memory.dmp

Filesize
56KB

Download
memory/4664-849-0x00000000759F0000-0x0000000075A66000-memory.dmp

Filesize
472KB

Download