34f46b207d6155ea25b0ba55874b41fdd73472b304368a003fe5f3f61cc0b6fd

Analysis

max time kernel
134s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stardock WindowFX 6.13/Readme.txt
Size

298B
MD5

6dae0f5f7fd4a95f8a77fb5ae7aa5ecd
SHA1

a8bc204ef4259949b6b1a123a9c0d47f026c47a3
SHA256

b0b4aa373798b4294a59b2ce3be425f35c97a806872f69c7131b68244d7a91f2
SHA512

723a65867ff4191831c40a1212e3552a9f54907d0c4fc8612ca71432fab7e107f11b8dc66b54787df81fa6d44c815eead6339ba9fc318ae20312d816717a1b76

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WindowFXConfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WindowFXConfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WindowFXConfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WindowFXConfig.exe

Executes dropped EXE 11 IoCs

pid	Process
4364	irsetup.exe
4896	GetMachineSID.exe
1552	WindowFXConfig.exe
224	WindowFXSRV.exe
5116	WindowFXSRV.exe
3812	wfx32.exe
3572	DeElevate64.exe
1540	WindowFXConfig.exe
396	SdDisplay.exe
1544	WindowFXConfig.exe
460	WindowFXConfig.exe

Loads dropped DLL 19 IoCs

pid	Process
4364	irsetup.exe
4364	irsetup.exe
1552	WindowFXConfig.exe
1552	WindowFXConfig.exe
3572	DeElevate64.exe
3312	Process not Found
1540	WindowFXConfig.exe
396	SdDisplay.exe
396	SdDisplay.exe
396	SdDisplay.exe
1544	WindowFXConfig.exe
1544	WindowFXConfig.exe
1544	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023433-5.dat	upx
behavioral1/memory/4364-12-0x0000000000530000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/4364-742-0x0000000000530000-0x0000000000918000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Wobble bottom left.tra	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\Ani\slidefrombottom.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\CheckBox.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\D3DCompiler_41.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Distort3.ttt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\clock.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\Ani\cornerexpandR.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\abstract.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Wobble top - Copy - Copy.tra	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\button2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\upgrade_logo_OD_02.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Safari Close.ttt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Wobble rand - Copy - Copy.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\StartMenu - Copy - Copy.tra	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Win11_2.ttt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Presets\Random animations (Windows, Menus, Start menu).animset	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\grid2.tra	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\slides2.tra	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\StartMenu3.ttt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Wobble bottom left - Copy - Copy.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\bnt_apply.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\upgrade_back.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Safari Close.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\SlideBothWays.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\popup.pdn	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\wfx5UI_panel_right.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Presets\Default OS Animations.Animset	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\home_switch_track.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\SdAppServices.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\Ani\slidefromtop.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\home_horiz_separator.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Presets\Flow from right.animset	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Default.spak	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\content_bg.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\WindowFXSRV.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\SlideColumnsUp-down.ttt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\Ani\cornercollapseL.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\home_vert_separator.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Textures\leather.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\btn_minus.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\RotateMiddleV.ttt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Wobble down - Copy - Copy.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\slideboth2.ttt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\frame2a.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\wfx5UI_tab_inactive.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\blinds.ttt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\blinds2a.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Doors2.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Textures\clouds 2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Safari Close2.ttt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\smallhelp.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\Ani\closetoright.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\circles2.tga	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\frame9.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\upgrade_title_upgrade_wfx_02.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\wb_check_normal.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\eula.txt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\StartMenu.ttt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\BlackHoleTR.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Roll.tra	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\Ani\random.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\UI\frame8.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_window_trasnp_dark.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\WindowFX\Scripts\Distort3.ttt	irsetup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\womtrust.dll	WindowFX_6.13_Jasi2169_Patch.exe
File created	C:\Windows\wontrust.dll	WindowFX_6.13_Jasi2169_Patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2028	396	WerFault.exe	117
2540	1544	WerFault.exe	139

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	WindowFXConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	WindowFXConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	WindowFXConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	WindowFXConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	WindowFXConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	WindowFXConfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	WindowFXConfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	SdDisplay.exe
396	SdDisplay.exe
396	SdDisplay.exe
396	SdDisplay.exe
3764	WindowFX_6.13_Jasi2169_Patch.exe
3764	WindowFX_6.13_Jasi2169_Patch.exe
3764	WindowFX_6.13_Jasi2169_Patch.exe
3764	WindowFX_6.13_Jasi2169_Patch.exe
3764	WindowFX_6.13_Jasi2169_Patch.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
920	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5116	WindowFXSRV.exe
Token: 33	5116	WindowFXSRV.exe
Token: SeIncBasePriorityPrivilege	5116	WindowFXSRV.exe
Token: SeDebugPrivilege	396	SdDisplay.exe
Token: SeDebugPrivilege	3764	WindowFX_6.13_Jasi2169_Patch.exe
Token: SeDebugPrivilege	920	taskmgr.exe
Token: SeSystemProfilePrivilege	920	taskmgr.exe
Token: SeCreateGlobalPrivilege	920	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3132	NOTEPAD.EXE
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
460	WindowFXConfig.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe
920	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3912	Stardock WindowFX v6.13.exe
4364	irsetup.exe
4364	irsetup.exe
4364	irsetup.exe
4896	GetMachineSID.exe
4364	irsetup.exe
1552	WindowFXConfig.exe
1552	WindowFXConfig.exe
3572	DeElevate64.exe
3572	DeElevate64.exe
1540	WindowFXConfig.exe
1540	WindowFXConfig.exe
396	SdDisplay.exe
396	SdDisplay.exe
1544	WindowFXConfig.exe
1544	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe
460	WindowFXConfig.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4364	3912	Stardock WindowFX v6.13.exe	104
PID 3912 wrote to memory of 4364	3912	Stardock WindowFX v6.13.exe	104
PID 3912 wrote to memory of 4364	3912	Stardock WindowFX v6.13.exe	104
PID 4364 wrote to memory of 4276	4364	irsetup.exe	105
PID 4364 wrote to memory of 4276	4364	irsetup.exe	105
PID 4364 wrote to memory of 4276	4364	irsetup.exe	105
PID 4364 wrote to memory of 4896	4364	irsetup.exe	107
PID 4364 wrote to memory of 4896	4364	irsetup.exe	107
PID 4364 wrote to memory of 4896	4364	irsetup.exe	107
PID 4364 wrote to memory of 1552	4364	irsetup.exe	109
PID 4364 wrote to memory of 1552	4364	irsetup.exe	109
PID 4364 wrote to memory of 1552	4364	irsetup.exe	109
PID 4364 wrote to memory of 224	4364	irsetup.exe	110
PID 4364 wrote to memory of 224	4364	irsetup.exe	110
PID 4364 wrote to memory of 224	4364	irsetup.exe	110
PID 5116 wrote to memory of 3812	5116	WindowFXSRV.exe	113
PID 5116 wrote to memory of 3812	5116	WindowFXSRV.exe	113
PID 5116 wrote to memory of 3812	5116	WindowFXSRV.exe	113
PID 4364 wrote to memory of 3572	4364	irsetup.exe	114
PID 4364 wrote to memory of 3572	4364	irsetup.exe	114
PID 1540 wrote to memory of 396	1540	WindowFXConfig.exe	117
PID 1540 wrote to memory of 396	1540	WindowFXConfig.exe	117
PID 1540 wrote to memory of 396	1540	WindowFXConfig.exe	117
PID 3764 wrote to memory of 4384	3764	WindowFX_6.13_Jasi2169_Patch.exe	135
PID 3764 wrote to memory of 4384	3764	WindowFX_6.13_Jasi2169_Patch.exe	135
PID 3764 wrote to memory of 4384	3764	WindowFX_6.13_Jasi2169_Patch.exe	135
PID 4384 wrote to memory of 4896	4384	cmd.exe	137
PID 4384 wrote to memory of 4896	4384	cmd.exe	137
PID 4384 wrote to memory of 4896	4384	cmd.exe	137
PID 4896 wrote to memory of 1552	4896	net.exe	138
PID 4896 wrote to memory of 1552	4896	net.exe	138
PID 4896 wrote to memory of 1552	4896	net.exe	138

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Stardock WindowFX 6.13\Readme.txt"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\Stardock WindowFX 6.13\Stardock WindowFX v6.13.exe
"C:\Users\Admin\AppData\Local\Temp\Stardock WindowFX 6.13\Stardock WindowFX v6.13.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:2189346 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Stardock WindowFX 6.13\Stardock WindowFX v6.13.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-355664440-2199602304-1223909400-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    PID:4276
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4896
- - C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe
    "C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe" NVIDIA
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1552
- - C:\Program Files (x86)\Stardock\WindowFX\WindowFXSRV.exe
    "C:\Program Files (x86)\Stardock\WindowFX\WindowFXSRV.exe" -install
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Program Files (x86)\Stardock\WindowFX\DeElevate64.exe
    "C:\Program Files (x86)\Stardock\WindowFX\DeElevate64.exe" "C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3572

C:\Program Files (x86)\Stardock\WindowFX\WindowFXSRV.exe
"C:\Program Files (x86)\Stardock\WindowFX\WindowFXSRV.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files (x86)\Stardock\WindowFX\wfx32.exe
  "C:\Program Files (x86)\Stardock\WindowFX\wfx32.exe" START
  2⤵
  - Executes dropped EXE
  PID:3812

C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe
"C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files (x86)\Stardock\WindowFX\SdDisplay.exe
  "C:\Program Files (x86)\Stardock\WindowFX\SdDisplay.exe" -prodId=2245 -ProdName="WindowFX" -company="Stardock" -forceUi="Welcome" -parentPid=1540 -prodVer="6.13" -ResponsePipe=1832 -ownerWnd=0008025E
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 2784
    3⤵
    - Program crash
    PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 396 -ip 396
1⤵
PID:3900

C:\Program Files (x86)\Stardock\WindowFX\WindowFX_6.13_Jasi2169_Patch.exe
"C:\Program Files (x86)\Stardock\WindowFX\WindowFX_6.13_Jasi2169_Patch.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c net stop WindowFX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\net.exe
    net stop WindowFX
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WindowFX
      4⤵
      PID:1552

C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe
"C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1504
  2⤵
  - Program crash
  PID:2540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1544 -ip 1544
1⤵
PID:2652

C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe
"C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Stardock\WindowFX\DeElevate64.exe

Filesize
10KB

MD5
77f4f5243e1f2eab70e253e138488754

SHA1
6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

SHA256
22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

SHA512
64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\DeElevator64.dll

Filesize
17KB

MD5
a5878bb90ab95633ddb5a954425a248d

SHA1
3f688a5e78d4e5586193a60220e6adff486b73f3

SHA256
59bb5ea89db2627b13e12c500dfea20c1ea951947d7d02569b0b93361a3c3c08

SHA512
05f1bf43f707fd8a26fd8fe9cfa0878d597bf5234e8679e1bf4f1cff36d17ebfa65f3e09a9f7db279353d0d6dc760a2329236c38ea231ebe6c7485e0e0dc2eb5

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\Default.spak

Filesize
298KB

MD5
93f0f3302d5c36114e92868a2d3412c8

SHA1
cbfb00fc140e9de1eaead9a6d9921c718644a33b

SHA256
e31bd1e442ebbdc31a86f8dcfeb7754298bee3c2d42b59aceb7049e4d25954bf

SHA512
140f714bd05c77d391c5d2841480e4b46a24e0b20ef568f3ac887e88f84de2a2d6468eecaf32d983818e4a065dceec01d851450ae6f530ae2c38861e49b4c4e9

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\SdAppServices.dll

Filesize
1004KB

MD5
b65471992fbc7841c264037ec46f5891

SHA1
76417b30d280230a9856e6b57fe8eb13f33f0f09

SHA256
659ab4ededaf9364ee87165c3c97642171dc07cd00f77153d5f5a7c7435d6d86

SHA512
56de621aeae33c719a1d0494219c5ac5be54050806ceacc31d4c3fc8d7bc26aa8205f80526dad18345668caa85df0a4da702c6f126ab8fb5f3b05b4f2b595fb2

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\abstract.png

Filesize
19KB

MD5
050f06531f57d50027dca15b3394aeee

SHA1
98f1716a3d84da64003f3a2d608fb64b82dadda2

SHA256
d7332b0eb689f3004d8745ee09c865efb274ae118088e6edc1ecd2755bec9b31

SHA512
1586097a1f949d2ca3103739b987654512b5f82f4ee3b5dde50ce589f3e6f1bc4c4de5e036b2644f9bd10f02a04eb7fedd8c63b3904f833655fe8c6279e66dc7

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\clock.png

Filesize
4KB

MD5
f49cea9cb371ec67e39303dc5f3e0b49

SHA1
f943193924be248010886851410370af152c3bcc

SHA256
405d234c96545ad40bd7dae1d884163a3217153a2ab7570652f8d4f2f765dd17

SHA512
fc4180a416cb3d4d44f81b55dd949a10712ef0baff928b1f5dc40b9353cd2241496aa72f46eae7038e2e3ac138deb625d506d6cdf29899bba43007b9ab851700

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame2.png

Filesize
39KB

MD5
e35c9c18a870225b0b504510170808ef

SHA1
47ffffc240c6730945bfca11f5062eeca5b72222

SHA256
7302373a89114606a697eac117f97ca3ddcdd2b1ce17bf7c0e04c2c68628fb4f

SHA512
8adfb32c27837b3b8dcfbae88544cfa8be2591ac003252ff2d46cb58000729263a4c8518e27c14a641bcc48688b7f57a01fc2e3c15f9deeb2cfd1adf0f5b877d

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame2a.png

Filesize
27KB

MD5
dcc0ac069a3839ddff9804feecd8289e

SHA1
bcca4739846cc41937b45ccea09dc27e14ed11d9

SHA256
ecac3ab1973a01079f232c033e5f62e029f376d947115eba020aade01d44b09c

SHA512
f2f205ccdddb2754bdaf3cf2bf52fb144f4f601f3c4233f781a5e7b820c26537f0ff084aa6d0996980d8627fc111ca31f1b221ba60869747db525bccf6cd9bab

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame3.png

Filesize
42KB

MD5
58cfc7a7b12c328d95594680500866ac

SHA1
6227065392f95e73eb124688c3d6324776c2337f

SHA256
1b065de2e900f4b7600fda493e3098f456ae887002e83abbdf5234f97ba91cef

SHA512
0c8e2d5cae5d7526af5846701aba1854c205132c764a4bbbb4837179256577f4cef5519457c000615b206a520799828a48bd88a0369b0d2180af2c30d2186ddc

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame4.png

Filesize
48KB

MD5
eb05e3b20fabae9bee6a5a22ac0b44a5

SHA1
206668dc4d9f0ba929589879cf9ff06c7084113d

SHA256
eb9372337d15b32568375253b829fdc1963eb614f978b9886cd6a888c78010bd

SHA512
0bfb83399fc46b939d999b20f04d30815234559bbde1252e09dccf88a7386543a467d3a1c336a5b93953de220545682b30dd63d2595ea23ab9fa1c7eacf83357

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame5.png

Filesize
40KB

MD5
925a15559c35440490533e4942ec6092

SHA1
8ddd30bfdf34b93e5c9dbeac2bbab87b9af4da72

SHA256
b73ec0e2a2c498c52fce063b3d9b70ef0ad3ec7ae85e974772f3d2c43c1d395d

SHA512
5c4410182559212cd7db813352ffc51a7c84f5e8925ca5f4705b9291725174869b797d1373bce50eb0a5bc3ba057d3b695f99a6ebd7d3119048d346f0bf761f3

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame6.png

Filesize
38KB

MD5
4d430d97cfb4d0d208bd857b185edb7d

SHA1
748ba2df53e102c67bfa4d8ed56f97925fd60d58

SHA256
05d67215a682008205dace3c0ae84bcfebbd714818eb008e4328fd57661cdeb1

SHA512
47d56124dc6ef613ec1b3c990931869fdcb4d071fa56a693b07a30e78392e11fc999cce067ba630486cd842548a719a464480585a89db915699a40ae7b361df3

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame7.png

Filesize
36KB

MD5
cc13b6dfd381b370c38464874ac90ed4

SHA1
497c5cf16f00ad664330c92c5c6be2c09b2c4855

SHA256
7b60abdd44d00388e48c49893ea3a9a4758ead37e748791d3b258e12ce6cd41d

SHA512
2b7c2e3d4d981c361f95693dde97fa60c40bbc6c2cca1b1d184b244f8fc705420aafe47d439f4f657c26bae3ad470636f34e363bac063ee411bb155968fab915

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame8.png

Filesize
41KB

MD5
5706997d4bc739e0d5ef03a455100cfd

SHA1
81e617857f7d4f69069934d999334ba98424663b

SHA256
d3240433c60eefdc3371b2447d294f5565e8192d2d94ecf91b54d7c3fdd3c9f0

SHA512
cc6591ad0295a40a1951c7a03cd14a78826929638ce6fe2d6fc488322e274d9d865b0d9bae63c8758778c6870042defe24270be0039fd8c4e3f0865ec357ac9e

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\frame9.png

Filesize
31KB

MD5
754a2411045a6c8a25b918fde4e24507

SHA1
dbdf2cd22ddbfa5b2bc6044a91b216ba3188a8f1

SHA256
482907618179f93b539f260cdec6a81aa92d8fa337be346e1e7d5477b7636fd9

SHA512
21ca14ecd7ca65a672d9166abcccc276a70bf7c79b61a79a9c731d5401cfe67890921a8913644decbbd58c41dc34c06f16ff641cf9ccbaa748efb5c2fcb4c7b0

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\home_horiz_separator.png

Filesize
5KB

MD5
771d6d50b3787ec58427cfc6a38411d2

SHA1
343353250f7cbfa832cf97a31d0be3cb24a7ec9e

SHA256
2106e49107b03d4566352c64c112bf54af6278c3286f4966fe27723bda70124a

SHA512
2c86eb95a5bfd034499f2f0d8e5d33226cfd7e60036c44ee8491dc2210fc593239bb5e883c59eb34e18968f00d26cc13488b7cdcbef507db843b6197281d1814

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\home_switch_button_v2.png

Filesize
854B

MD5
c4c844c1d829f73094aa6f155faf18bc

SHA1
f7e2615de9a809c47e623e565184ba9ef244f7e3

SHA256
c0a594565d25510e7969ec54e465c447afbb6a39bc63c01402285038d0207c8f

SHA512
abf6a5c8e57769563988a9b017a4dec6ea649e04e0d68b885ab93938667bc68a2af0193f8ce4324dfea5fbae61c6f89112c32618670ef27ea43decf9ab1a91b2

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\home_switch_track.png

Filesize
333B

MD5
ba41d98ae1f8e05af50058228908454a

SHA1
5e3bc1e8edef9c55261013959a027a9d17220fca

SHA256
6c51e1d4d27a777a0c4425337824d5956ca17e57263f98951dadc0b374c97d7e

SHA512
ddb8f1f62b64b5e8bf7ffc1c879c04de219f5c38c4cae19a7f208c2622dfc8f82546e26184b9287005588e4483cd71fb1f5534e3c810461cccf1a74209876d54

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\info.png

Filesize
3KB

MD5
41b1d948b90608d4e73bfaa81caad417

SHA1
f476ffde49e07336b8f3211dff92a5b291b82bdb

SHA256
2053991b6d10ae9acc171f3973c2af70e5747ae38327d97a4e17f9fbfa55a1dd

SHA512
bee68e0503dd5202a6d33dbbca6e8a7ca20853976652ade62ccce3fe1eb77a4069384601043bc765876ac09ed4a3e67da95ca5a0e278be258b46e384369be817

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\label_plus_03.png

Filesize
1KB

MD5
377c0fef82928a0eef8e25d6059c6790

SHA1
605bc89385b8ab0d0d31e35a4e2c1ea10c50dd0a

SHA256
ef4694dd53c16852d689797a60ca2eab2096b9147660e3a3e2741a517da923fc

SHA512
d3d2bf5e23270b2dffff23a415f59ef8470ed0c63f568b85f54c28002af26ae3a99aec6889643e5f89e59cfae04b8b55221faadbb4b0b7898e9209ce5a158bab

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\onoff.png

Filesize
1KB

MD5
f75520aff24086cdd3d235ab340064f9

SHA1
5bba2ff7069d09a19f776ad3a260fce9876ba393

SHA256
2280f13278178c2ba2a4b54bf4bab3971b6d8a94fe6ad07dbe3a01a22374db9a

SHA512
c0c542d117f2220afb51cc0c5a54008b2e08f3132494ecf7ce9c8113e6720e30e266f15c1b070fc25454d4c4cfbe8a868442e86a3a7cb505ca7a18bb0c3e55b9

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\topBar.png

Filesize
2KB

MD5
0f0728747122673628a33547805a9bdc

SHA1
8d1d7b3f0b8298f95f6a9dcb636f71b4bc7054a0

SHA256
8423dd18dcd6820fcacc286a4a2074d0478563e1117852076d45dba314339681

SHA512
5f610b0f09766448895a2b13b6d3b0a73ff4c4833ed9d8742ba79732a072f77d51d9e58a0142f5ae286588c1773f412c8eaed51c7f7e8c24ff5c98a791829f1f

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wb_check_m_over.png

Filesize
2KB

MD5
bac6e9e1eb784e8cec475dbdff97d786

SHA1
80156ad89136c58f9d79e4a185c300188edc5b76

SHA256
a657c9122117e3105130fc8c3bb93a1c84088bf61948d39bdb357e0ec6793deb

SHA512
8d4f62462c06024035bedef1b586f4d605cf77a6f82b1770e0916ff7a5abed727adb2b85b5bcdfe79cba3b1d6ff990e9aa03f9c9a59a0501a92a6a5a293b5804

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx5UI_section_selection.png

Filesize
3KB

MD5
b49bf3da24aff08f425ba64c797dc57a

SHA1
64033b72daf9751acad2225ad0efebacd28c9700

SHA256
1c3546f27ca2804add0347b0c8a4faf6f74f8235d6f7c3bc3431f1256ad567b1

SHA512
dd8cc7fe239b5e91e940d187ac8128d620095a4c5b33b3b1e63c7ffc06d5edd227b3495f97acbad23dda87a6d5459f26c74269e49fbbfafbcea55b112d0ede98

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_disable_flip_3d_dark.png

Filesize
1KB

MD5
1b4425b9e6c41116c6a436cbb3e53441

SHA1
411a55ac1d46ddbca075475734e7a1893a60112c

SHA256
cd66c2dc28540174c84a5ab72bb537032a4e9a58ec1f2428d84541d63db148fa

SHA512
9f90bd0660f176b53e05aeef985a282e267beaf39a25363860fa94ecebae35b834d5385023e90309f37c9dab186b6b683e8292e4893e7a7debb51119e03656fd

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_disable_peek_dark.png

Filesize
1KB

MD5
e46aac6db61c8121961ddac4a38280e1

SHA1
2fe161c7083e7f46f4a77065212496bfcc11f235

SHA256
a343500ac141eaca7a0f6f87c9959e71f24f144b4305be1379abc013230d370d

SHA512
520839c65b5cb8724aafd243e68af6699e7c3de60f4a80703d8671cee71d7b6b5d5c1bfcbf51b1718acbde352976f9ed6500a1187e19708c0fbc4761f84e0f1b

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_pin_on_dark.png

Filesize
1KB

MD5
966de20f2c50342918ee725c471ac600

SHA1
d50630953e08afc4440c36cdaeb1d841313f555d

SHA256
11bfabfe0757184b6ac5c2c605f6fe04b070a2cc699329035f5b3b4e3739c900

SHA512
3cbb98f7f8121d78d754fb8bdf8cd41f4cf2809081ed5de51dbcd824cce5db1b54eb22478d9a570590289f7c07722a10af9302063fd11abc551e3ba6e70d4083

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_window_max_control_dark.png

Filesize
1KB

MD5
f3d67e7abe7043d3f251d83c2d653a09

SHA1
128bf73ae2ef7e52ba84eba31f00d63f2b36a52e

SHA256
558a91e8c1f07a362cf0911f82642564e509587d0f4f689e522f8cf0f0a1af4f

SHA512
5c74d21edeb8a441639c474c1b8735ec57a2876aed4323d5fa5ee1657eef223b64f5ba446070ade86b1775b9a190799b7306f985ed7e4650ab65257436afd882

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_window_size_control_dark.png

Filesize
1KB

MD5
580ca461b6623dd000851d91a01bb62d

SHA1
5e9979d06cd33a8274b830aa5f14884d58a6300b

SHA256
7e350a7c1eda31d93d962f4f13757cd52774a941e245379d18ce95650b1a7a95

SHA512
bacbec89c3944590e61c7727f4ad3783b369e28760f100d5e95161c88e2c17e79c421ba8c343dabf5ed38e93ac56daa127070040306a8152b8fa0715c5ed33d5

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\UI\wfx_window_trasnp_dark.png

Filesize
1KB

MD5
466fa0e4d9644b4dbaf85dfff80d1862

SHA1
b41e5dd631fc9868be24ce1b0f855a4ee30d7b73

SHA256
010aebb83004b4466e6632dd6f85da2d3d39d27c3e2d6d5849a6b5d76ad46a96

SHA512
e2e119c6207dc477b91dcc49ce9393155864cfb114955fa8604cae1b29e1c3e260b6cf5d8f35df6e85899bf41c570e733fee21516c7037b0a166dff028c6345c

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\Uninstall\uninstall.xml

Filesize
64KB

MD5
740625a42ceb8607ccc69acc18d81efc

SHA1
ac1d10b9f77d03bad8c0fc5abf701c65ba158aff

SHA256
b9b83c157535b7d761e4df0fafb1c858aeff99ca432981e52d87d07279cb8a7b

SHA512
9289fe06b59cbe8f94e203dc6b4565da5d8f5a87b3ee0bb15bd01a71c3eb8285102b6558f07bded71f3d5749ebe1719499a3cace0f9fe44fa1f0414b9eb54f3e

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\Uninstall\uninstall.xml

Filesize
73KB

MD5
8fc2ea6929b98a84f307bb4feaf72109

SHA1
cbc87b52672acfe15b49226f98cf1ae040db4043

SHA256
a9097f1eecafa1a4992e9b6ec5c10d1cae0136d749bb0f79bb83ea8218c97e4b

SHA512
c4e5d81c51bb5d9051c27f85635af9af1d3f03f8bcff2a574719f6bf53f70f6de8a162d2d5ce17d224758366b11acf49ae11c4e842b9571e7687fba93fa87e5c

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\WindowFXConfig.exe

Filesize
4.9MB

MD5
20ca972de8d394da30221819279d831c

SHA1
c0dd599d1649c2421eea7dc71fbe7c27c93b80f6

SHA256
7c65a8dd7865af504ec932460e85f372237357a607c23e632ed80b8526cdc47b

SHA512
3218a872239d4f60cb454dd6b0b9fe8cd3c5a1db66df5792cec28cdf1a6c56cedc802cb0a4c41c17cb0bcf12de44511ab1ed153f0f1e54a35e14c4c1273940c7

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\WindowFXSRV.exe

Filesize
189KB

MD5
d5add5bd7afc1315afcdbbf1b5aa56a2

SHA1
8a89bbcf4e3f4a841aa59a2a6703a4e53106054e

SHA256
3081308d55df3c99413182601ecf1cac30f3d463c7123945e16d57ab2a857755

SHA512
c4171cfb97bf06db97dba6dae8ad50171f84c8969a17321dae71ec1bb5eb1bac6802d048119c767b56de15e973c75e62f4ef5f933793fb759f0f81a6926ff487

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\wfx32.exe

Filesize
594KB

MD5
0309bec6380bbd248cc2e221fa631f51

SHA1
a2ff11cccb5dffd96949e56a7340c2894393a0cc

SHA256
d9339602f58d65a1b0902997e41f520c25afa75d64ea60b3b3c4a1fc89e18c01

SHA512
ed9fb0aa2346c7f7150f097221631ddbeee1b51c80ef6f008662b7915f5b7c586e456de9984d7689d5f316cc72dbcbdb3dcad263332596c5ce64fd4e7d0aa6f2

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\wfx4.dll

Filesize
1.3MB

MD5
9e4d5486650ebecfa9a6844b0ca66121

SHA1
eb279485bb02e2a56d06d5e7416a772a687daa24

SHA256
2ce7ba69e0fb874994dacd4035ec03fa992217133753a0cdad08fc81c4c188a8

SHA512
b28e70b0e14e7e5baa7319d1ee97a8662917a9e42d43940dbd9da5baeb767a28c97b4b421b3f47736262a387e9ca95f4a903001d77591153676123e91168c2bd

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\wfx4_64.dll

Filesize
1.5MB

MD5
e5db0dc8744deaa2282926c3e8fc57d9

SHA1
fd930951544fa1b6e0fee6d4545b22fb8bba15d8

SHA256
0a0ff295f87bbbc4bd9c771967626e5f7ee855413818f3ef8469bbd1a10fd50f

SHA512
3df7108fd7afa4c50abfc72b1e58c782b791f40b9566059f220c97d4719c389ac5d96bbbcda80f527c19082bfc3b44e193f04cb144a303e0407e5f3b13d4b5c5

Download Submit
C:\Program Files (x86)\Stardock\WindowFX\wfx64.exe

Filesize
672KB

MD5
6901f5583b3123639a5d0b3eb00fde75

SHA1
e6c842ddc7e79e39c47c68f8bf32499a236df2c3

SHA256
8bd99c4af0ae131a63bfe308dbc96faf0801f21e3eb01a7015fc388baaad8e38

SHA512
ce2578fcbd42e06d9ab1a13f152eae0a04c1c73aad24793480f44d0ed8680a633cb533b1db4a3d8b627d45f26a6b996ce61442d0f3b88388caf5193cc89df1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
4842e206e4cfff2954901467ad54169e

SHA1
80c9820ff2efe8aa3d361df7011ae6eee35ec4f0

SHA256
2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

SHA512
ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_F683C52DB732919867B8733E61B240B4

Filesize
1KB

MD5
6a56e41d03a365926170dd38e2885aa7

SHA1
30a4975c8ee7e61cb717957e58a8588fd352374c

SHA256
7ac395351c651911dbc023aa8ee1a57697d99e63974fda5325e8eb490f281fd3

SHA512
cbcb7e2a48ae25c89f3320b7f045fc8af1e2119eccec918b6b940ac11fd47ffd8449009f3fa2cc4b67433e8456561d8e19426c7caeb81c6b0249ff25c75fae8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
24e93d125e1edeeae907ae3ac320e4a1

SHA1
e3d9741573e7dcc2cf0a629b2904a69d7be2cd88

SHA256
34c898e6efb4b4a0ded42b05e794111c29a55ec0648b3c216de0d666441ba244

SHA512
3455209f8f960f8c629783fe31d93fe2b51b8688a58d89eb7a796672e5aeb56ed50a4b3564a9c6a2fb1f0402671315099c6853b5670af9b9313f02af3f378e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
b5919d59d33c7380fb994974cc007004

SHA1
707cecb9dffe6f85aba144bf3d024ad16d23b323

SHA256
5721b7c380b899973441c164ccaafb5f97cfd49b4b1febaf8fa66919fda1c7db

SHA512
881e5750e1a6b782f28356991d1561dc8320fe8d3cfddb10bca7549f19c5fd627d3197b49e8a994ab4b5461de75f947140b2cfe16b84152dc51774efbb029009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E

Filesize
476B

MD5
fe9d7d3c6c09e6c840c5af8725fa20c1

SHA1
5f596dfbe846847a3549f814ec2c26ec3c89d5de

SHA256
41286b9d96d02920b4397d31f06338791b1a3487b8f33b426eff8cab1ac1f247

SHA512
3e675a5ad07381d161ef784c87df125485c83323feb512e386e9866335a9d96e381d4265bbb1fc739638a84bd6198e92f0af41a3b30c3c4701ce997100ff4ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_F683C52DB732919867B8733E61B240B4

Filesize
398B

MD5
511c55cb44bb3ac58ec11ab030ec8a35

SHA1
e62021f01914d60608e1a928e4097e308edf82b8

SHA256
eada54b501b12abbc915496778b0f43e3b512718a7f1d9de08ad9a9c3367b541

SHA512
c084e19797f7a0b8d2ca4434a4dc3c8e762fadce5b1ed63ed43f6690010f5596e6180f494c0d59a22c6934f981bfb6d046d73170b179efcdcb2e48ebd1313913

Download Submit
C:\Users\Admin\AppData\Local\Stardock\WindowFX\SasLog.txt

Filesize
658B

MD5
3f5685c1a095b410caa693eac7c388c0

SHA1
f734a7fd51d2a00640fcd9d46d8a036c65291f2a

SHA256
ef3a2e1e2034c6f91a80c4e0375006f06898dc429a59e3118bc2035367b201d5

SHA512
ee8bbec6702f3eb9198fb49ad33ee563610cf3b0bee4cdfe2918687646b8fb10749e384d99aa743de24f64822002be5a2913466d7320196b24e5449ca19dcc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowFX Setup Log.txt

Filesize
72KB

MD5
e14d895fa48f103d7aed2652838767e3

SHA1
391632464b89e4cddda87684e60948c860158425

SHA256
28e1fc239adeb2ea3bdfcdef7e75be5bfe558d5c649a522cd15faf7729718926

SHA512
1edc9e1703c50134f523646281832471e369ad8d2cecd92817f1325dabb87ba739c2fce5e774dbb2c3da6e1679d2e3851bfe270edbc9d57c9785079fe6975c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
40B

MD5
281f0a6d59b8b8693a1e82d83d8331c0

SHA1
157cbbfe004da5de723578a1b054823e823e09da

SHA256
99dec3ef0d261985992daa82f017dd464c7820df135eebc43e332713e5505986

SHA512
f879c77b0f79b80fc3fc32173e2fe02fa70cae9684f9ea51daa8d37820450e1889f6c75891fd9a54f6a2d5cbaf23571d40ffeafc7967b3ac9f31cd8ebb83d360

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/396-793-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/396-796-0x00000000087D0000-0x0000000008F76000-memory.dmp

Filesize
7.6MB

Download
memory/396-798-0x0000000071580000-0x0000000071D30000-memory.dmp

Filesize
7.7MB

Download
memory/396-785-0x0000000000050000-0x0000000000062000-memory.dmp

Filesize
72KB

Download
memory/396-786-0x0000000071580000-0x0000000071D30000-memory.dmp

Filesize
7.7MB

Download
memory/396-787-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/396-788-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/396-791-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/396-792-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/396-797-0x0000000008F80000-0x00000000094AC000-memory.dmp

Filesize
5.2MB

Download
memory/396-794-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/396-795-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/460-829-0x0000000000100000-0x00000000005DC000-memory.dmp

Filesize
4.9MB

Download
memory/920-822-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-823-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-828-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-827-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-826-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-825-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-824-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-818-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-817-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/920-816-0x0000025F2BF60000-0x0000025F2BF61000-memory.dmp

Filesize
4KB

Download
memory/1544-812-0x0000000000100000-0x00000000005DC000-memory.dmp

Filesize
4.9MB

Download
memory/3764-811-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/3764-802-0x0000000008920000-0x0000000009230000-memory.dmp

Filesize
9.1MB

Download
memory/3764-801-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3764-800-0x00000000007E0000-0x0000000000C06000-memory.dmp

Filesize
4.1MB

Download
memory/3764-799-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4364-12-0x0000000000530000-0x0000000000918000-memory.dmp

Filesize
3.9MB

Download
memory/4364-30-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/4364-31-0x00000000059A0000-0x00000000059A3000-memory.dmp

Filesize
12KB

Download
memory/4364-742-0x0000000000530000-0x0000000000918000-memory.dmp

Filesize
3.9MB

Download