5c7bbf60c683c00cba97eae5821a4225872a9a8c26ed92e3a97f246ba4867f77

Analysis

max time kernel
503s
max time network
442s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/08/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start11v2-setup.exe
Size

50.8MB
MD5

8a8807ef9819d7660a37d8aef458a7c1
SHA1

eb2dda7ed971da47d732407ea7858b079b653d08
SHA256

5c7bbf60c683c00cba97eae5821a4225872a9a8c26ed92e3a97f246ba4867f77
SHA512

76e4a484e08d49d256ba6c3f404a75220cacd266c6d71fa1be7f78babe7c3817bf3adfe9c2b27a9e2dba37ee68afcc26f45077c51cd547b85897b3a5762f5b5f
SSDEEP

1572864:DzYkicgwIHrUj1Po1DhW7bs5tbbsO/PBvx:HYkahHrUjFUW/Ib35

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000002aabe-5.dat	upx
behavioral1/memory/2428-13-0x0000000000110000-0x00000000004F8000-memory.dmp	upx
behavioral1/memory/2428-95-0x0000000000110000-0x00000000004F8000-memory.dmp	upx
behavioral1/memory/2428-839-0x0000000000110000-0x00000000004F8000-memory.dmp	upx

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Stardock\Start11\Links\31.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Metallic_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Old Wood_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\sync.dat	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-17.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\23.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\DefaultMedium.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\SdAppServices.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Start10tweak.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\StartButtons\Sonar.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Taskbar Grid 04.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-22.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Metal_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Notifications\Assets\logo_stricon_blue.ico	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Start11Config.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Start10tweak.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\pt-br.lng	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Jeans_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Small Angle Stripes_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Horz Gradient_x1.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Carbon Fibre_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\fi.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Metallic_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\sv.lng	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Links\21.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Marble_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Grunge Stone 02_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Metal_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Links\30.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Notifications\Assets\stardock.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Old Wood_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Small Angle Stripes_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\DeElevate.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\ThemeHelp.txt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Flow.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Uninstall\uniBCF8.tmp	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\StartButtons\Element Large.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Abstract One.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Corroded_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Uninstall\Encoding.lmd	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Links\26.lnk	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-10.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-14.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\pl.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\7.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\lang\cs.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\ko.lng	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Echo.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\StartButtons\Start2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Taskbar Grid 02.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-16.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Triangle One.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Rock_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Metal 2_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-06.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\zh-tw.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\StartButtons\Element.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\MenuTextures\Large Angle Stripes_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Carbon Fibre_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Taskbar Grid 01 Mono.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\SasUpgrade.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\fr.lng	irsetup.exe

Executes dropped EXE 11 IoCs

pid	Process
2428	irsetup.exe
5152	GetMachineSID.exe
4620	Start11Srv.exe
5544	Start11Srv.exe
4980	Start11_64.exe
3904	Start11_64.exe
1416	Start11Config.exe
900	Start11Config.exe
3336	Process not Found
6052	Start11Config.exe
1296	SdDisplay.exe

Loads dropped DLL 17 IoCs

pid	Process
2428	irsetup.exe
2428	irsetup.exe
4980	Start11_64.exe
3904	Start11_64.exe
1416	Start11Config.exe
1416	Start11Config.exe
3136	regsvr32.exe
3712	regsvr32.exe
3712	regsvr32.exe
900	Start11Config.exe
6052	Start11Config.exe
1296	SdDisplay.exe
1296	SdDisplay.exe
1296	SdDisplay.exe
3336	Process not Found
576	Process not Found
4912	rundll32.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4700	1296	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetMachineSID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11v2-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SdDisplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Srv.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme	Start11Config.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\Treatment = "3"	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell	Start11Config.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\open\ = "Set as Start11 theme"	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\open\command	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}\InprocServer32\ = "C:\\Program Files (x86)\\Stardock\\Start11\\Start10Shell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\ = "open"	Start11Config.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\open\command\ = "\"C:\\Program Files (x86)\\Stardock\\Start11\\ExtractS8Theme.exe\" \"%1\""	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.s8theme\Treatment = "3"	Start11Config.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A451C0A-9597-4915-BCCE-6E859BC996B2}\ = "Start10Shell Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\ = "Start11 Theme"	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S8Theme\shell\open	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.s8theme	Start11Config.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.s8theme\ = "S8Theme"	Start11Config.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1296	SdDisplay.exe
1296	SdDisplay.exe
1296	SdDisplay.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6052	Start11Config.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	5544	Start11Srv.exe
Token: SeIncBasePriorityPrivilege	5544	Start11Srv.exe
Token: SeDebugPrivilege	1296	SdDisplay.exe
Token: 33	4980	Start11_64.exe
Token: SeIncBasePriorityPrivilege	4980	Start11_64.exe
Token: 33	3904	Start11_64.exe
Token: SeIncBasePriorityPrivilege	3904	Start11_64.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4980	Start11_64.exe
3904	Start11_64.exe
1416	Start11Config.exe
900	Start11Config.exe
6052	Start11Config.exe
6052	Start11Config.exe
3904	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
3904	Start11_64.exe
4980	Start11_64.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2428	irsetup.exe
2428	irsetup.exe
2428	irsetup.exe
5152	GetMachineSID.exe
2428	irsetup.exe
2428	irsetup.exe
2428	irsetup.exe
3904	Start11_64.exe
4980	Start11_64.exe
3904	Start11_64.exe
1416	Start11Config.exe
1416	Start11Config.exe
900	Start11Config.exe
900	Start11Config.exe
6052	Start11Config.exe
6052	Start11Config.exe
6052	Start11Config.exe
1296	SdDisplay.exe
1296	SdDisplay.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5128 wrote to memory of 2428	5128	Start11v2-setup.exe	82
PID 5128 wrote to memory of 2428	5128	Start11v2-setup.exe	82
PID 5128 wrote to memory of 2428	5128	Start11v2-setup.exe	82
PID 2428 wrote to memory of 2132	2428	irsetup.exe	85
PID 2428 wrote to memory of 2132	2428	irsetup.exe	85
PID 2428 wrote to memory of 2132	2428	irsetup.exe	85
PID 2428 wrote to memory of 5152	2428	irsetup.exe	87
PID 2428 wrote to memory of 5152	2428	irsetup.exe	87
PID 2428 wrote to memory of 5152	2428	irsetup.exe	87
PID 2428 wrote to memory of 1612	2428	irsetup.exe	89
PID 2428 wrote to memory of 1612	2428	irsetup.exe	89
PID 2428 wrote to memory of 1612	2428	irsetup.exe	89
PID 2428 wrote to memory of 4272	2428	irsetup.exe	91
PID 2428 wrote to memory of 4272	2428	irsetup.exe	91
PID 2428 wrote to memory of 4272	2428	irsetup.exe	91
PID 2428 wrote to memory of 4620	2428	irsetup.exe	93
PID 2428 wrote to memory of 4620	2428	irsetup.exe	93
PID 2428 wrote to memory of 4620	2428	irsetup.exe	93
PID 4620 wrote to memory of 3904	4620	Start11Srv.exe	96
PID 4620 wrote to memory of 3904	4620	Start11Srv.exe	96
PID 5544 wrote to memory of 4980	5544	Start11Srv.exe	97
PID 5544 wrote to memory of 4980	5544	Start11Srv.exe	97
PID 2428 wrote to memory of 1416	2428	irsetup.exe	98
PID 2428 wrote to memory of 1416	2428	irsetup.exe	98
PID 2428 wrote to memory of 1416	2428	irsetup.exe	98
PID 2428 wrote to memory of 3136	2428	irsetup.exe	99
PID 2428 wrote to memory of 3136	2428	irsetup.exe	99
PID 2428 wrote to memory of 3136	2428	irsetup.exe	99
PID 3136 wrote to memory of 3712	3136	regsvr32.exe	100
PID 3136 wrote to memory of 3712	3136	regsvr32.exe	100
PID 2428 wrote to memory of 900	2428	irsetup.exe	101
PID 2428 wrote to memory of 900	2428	irsetup.exe	101
PID 2428 wrote to memory of 900	2428	irsetup.exe	101
PID 6052 wrote to memory of 1296	6052	Start11Config.exe	103
PID 6052 wrote to memory of 1296	6052	Start11Config.exe	103
PID 6052 wrote to memory of 1296	6052	Start11Config.exe	103

C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5128
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1936418 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-131918955-2378418313-883382443-1000"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c if exist "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock ModernMix.lnk" (del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock ModernMix.lnk" & echo found)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c if exist "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock Start11.lnk" (del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock Start11.lnk" & echo found)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4272
- - C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
    "C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe" -install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
      "C:\Program Files (x86)\Stardock\Start11\Start11_64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3904
- - C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
    "C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" INSTALL
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1416
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      Modifies registry class
      PID:3712
- - C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
    "C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" FIXSEARCH
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:900

C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5544
- C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
  "C:\Program Files (x86)\Stardock\Start11\Start11_64.exe" START
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4980

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6052
- C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
  "C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe" -prodId=2674 -ProdName="Start11" -company="Stardock" -forceUi="Welcome" -parentPid=6052 -prodVer="2.0.8.1" -ResponsePipe=1492 -ownerWnd=000B02CE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 2312
    3⤵
    - Program crash
    PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1296 -ip 1296
1⤵
PID:3332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
- Loads dropped DLL
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Stardock\Start11\Default.spak

Filesize
456KB

MD5
21f335860a7e46e07a27282294e2a89b

SHA1
9bb0459be4493aaeb65cdbf67a85430259f33ddb

SHA256
70f6191e78b2603be47faf53052b3eab4897b311e932c01570444e9b147fa50e

SHA512
78db92966c58cba012d4a876599724d3e4b91e971ac837c85edfcb1603b004c002c799ae287b3b27eb604798a1500be4b3237d2f79fa7e7315b1e3b379d8c8f1

Download Submit
C:\Program Files (x86)\Stardock\Start11\Lang\en-US.lng

Filesize
112KB

MD5
a3be220e39e619e45133301c93629209

SHA1
be162ab451b44489573fd971de794e812306a091

SHA256
d33276820065e330b758282a6a5328e87d3db870dbc3a6c702897f75b99f8646

SHA512
eaeb4c46eadf4da085a2671fbd802b03bb5844c8e5d8926bede9f56d65fedafe2b9272d6c9806f94dd5d91489dd3ca4c52e08665db611c2eb99ebdf4819d643f

Download Submit
C:\Program Files (x86)\Stardock\Start11\MrmSupport.dll

Filesize
714KB

MD5
d3834ce63c831d6e814fcb4a789dc406

SHA1
c4073fb3505e0122643ff145db92b8adc805c452

SHA256
91002e79bd80c28d79ac3fcd7d73b10caa2888b23d18071a3321f731561bd227

SHA512
b082f0818d309cd07ce069f689ee2d0239b53686571d44ac8c7f43cbfaa495d9ace0d2ab4c593ebee3d6f25fb64d809b11090fa2d4d86400d2331ab203bd41c5

Download Submit
C:\Program Files (x86)\Stardock\Start11\PinLaunch.exe

Filesize
253KB

MD5
e1c1d962824ecf764806166644e4911b

SHA1
d895f81608a01023df27e4bfda228341997f7244

SHA256
351312eb20abf40983ac6bba7a33766355e7b3d4f5ea0e173fd537cb910b900a

SHA512
8c8868d569d381f4927431b582ef0adb301ab12f7aae782f629508a1ce3c44027315799c374cfcd274d0229c3a319af4e0dfb7ead86a794e80ac3208cbf9ba12

Download Submit
C:\Program Files (x86)\Stardock\Start11\PinMenu.exe

Filesize
253KB

MD5
e704c5d11852cb776d950444c01e659b

SHA1
00fb5ea2cb4717f9e35cc6cd82f5d345d6192646

SHA256
9ca4b38151db0e233d01a458a75abdc421a799823faa3d488d5a036b50b011cd

SHA512
952c25a2b0b9a4d51f9525f9fe7ed8d40c8d00ac48afcdc60eb228bfe2b25a45e3f351ec06cb85e4e8c54f223c32b0e6e0789fc1134b80d2992aff844c0c2a76

Download Submit
C:\Program Files (x86)\Stardock\Start11\S11Search.exe

Filesize
138KB

MD5
def5fe3a48b2bebb5d0bc4ffa4e68c8c

SHA1
fdfd31a5c27ae9e163e5400e0efefbbffdc1edee

SHA256
83f01e9fa92a596f1eb5665d0e1dbc94f2b97baa1d1e9f3d96607a6252e5fbdf

SHA512
ce98f707ec1a5fe41171a29b8c57f477783ec2b2bb7a04d2cf62e946179fe51b01cdad12211cfd93d11f229d2ce08ea0c99788f168fa2bb2b4a8539548c16245

Download Submit
C:\Program Files (x86)\Stardock\Start11\S11Search64.exe

Filesize
178KB

MD5
babbd30ce081bee9a63b399cd2ef9be0

SHA1
5fc81ad3e5437c30949cec375b6fe5d25a5aba4d

SHA256
26c86b920c6f5837078f3eca3a51b5b23563ebb763f7605531c3fc4a8cb2c5f4

SHA512
158d493e2967ecb6ff1a9603886166554c668407f83ad665e043453a1ce9c087473e40055c7c129de4fe02f1107accfb363753bfa322c82a8bd8a76679991980

Download Submit
C:\Program Files (x86)\Stardock\Start11\SdAppServices.dll

Filesize
1.1MB

MD5
468126eb1efaeb2c3897eaee587e0bbc

SHA1
b663598d60d094a90f6a1d07951d83c006be109e

SHA256
00767658b1ba964e19d0748ca4a66f01ff9e634a9f37c15b175a4c3c547d867c

SHA512
247d794cbad172ef6b7e8cfd6f97e5d6d47cf9374910d8d3ff43374bfca7f2cf54057e942f9c7e4e3e7add970c5496659a06485b72ef82c858679b338b836999

Download Submit
C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe

Filesize
58KB

MD5
bc5118ad146ea4de922e2eace6660751

SHA1
bf2d9a0baf01bd66b188230770c7eb972001158a

SHA256
7ffef2e309177d2f454cfc715ecdac4bd12aa6d481613a9e910bcfcf0fe6ba58

SHA512
aef5b73cb9a34d17c6df3e8f55d7d4aa0193879447b06fd7e0fe323bfd2ab708b71b07c8756a4092608c1761671d3170994479585e92dbd8c95753a4487e1ee8

Download Submit
C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe.config

Filesize
312B

MD5
285a4b35c0f55ed5c23214ae737889a4

SHA1
cfefb1722158720c9c2b54457af2b351695e29b6

SHA256
e0ae71b7dc3e1e989d86764fdab0f50f0824d18f05e2cac3043f9f1d0cbfba2e

SHA512
a8529ee2dbe04bfc88fe25bf1990da5603271460a2c8a85e237e1ea113c83196e45e62baecce0e9c774b8be3779c3aff63526e039129c23debc2b21f3ab1c327

Download Submit
C:\Program Files (x86)\Stardock\Start11\Stardock.ApplicationServices.dll

Filesize
40KB

MD5
147df3d63306ab94964c8498b6135015

SHA1
43165dc6cde38aea8e505eb070702053c7eca222

SHA256
420284bfbf6be8ef006d33f9e96bf5415ca17f011ebd381855fce20f466e9607

SHA512
23bdb905ac87eedaab84ec06135d984387d6c98d7bbf287700648def79a8693fbd1a5b9ef147b0f73812db17718928d6e65f021b10a7b322f6eced95012a9029

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10.exe

Filesize
329KB

MD5
3e9994b595f6bffec24ed705398ea2fb

SHA1
01307767dcd1ba3ceab55c69e3e13d569ba1a202

SHA256
02dc0a089946622f72e685dfa24f3530f28cf62f342b2e82a7e0bfab7013c114

SHA512
d9fbce892cc0f848293c927c62085aa43b51e23eb82b03c41a8f4c95dda5e949e5a9a14934fa61723f49bf411d4391a2c45666c3c7b8a508055a3be55d269c63

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10Shell32.dll

Filesize
155KB

MD5
cd8ad09f0d42a8e8c5922ff6c93d7d63

SHA1
66e49537f1234c4243ca0faebb7ce0fd71841731

SHA256
6c1df718f996f2310ff04867e14bbfc1be19b5cf48783d9ebf42cc5e1bcf1251

SHA512
cd61aa3dc932d7c42691629b55c212bd335296c03f922dfbac3b669d412bd03807b60eb80cd37b65d84e1db0dd00bdcd5c9b0bc1862e3fcaed0bc99ea5e5567f

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll

Filesize
195KB

MD5
59daa54e0f5401541bbb2ee0aabb950e

SHA1
0a0452f9ef2f4be99010e496c94a57659694b7fe

SHA256
e2dc00de1303726eb70c9f719efaea948ccf24edc76bf0ada1362343c0ae1887

SHA512
e1b5ce8f62f7b9e1d43788b6d9f12677ee70b4d97f2c8499240ba3018ea2d8f81cf4efc9232016a41da2e3900ad1769a05e9ffe26de718afe652b27a13f81d04

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10_32.dll

Filesize
2.5MB

MD5
29b688e47f80abfdd7db6b29ec566507

SHA1
736982be30af38c92d7e7ed8ef491dd46465aff9

SHA256
5ab37b9dc3de29b821a07e94c7acb93c037c4ec97111855d0426ed6737594134

SHA512
a130feda5272486ba088a238f158c330df27760513107380808360827d4dca7d42e6b54408d98ac879595f73338c3d4fe62902838b5ccc1175a1656c054c4854

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start10_A64.dll

Filesize
3.6MB

MD5
fb60ddd4f7bb26dd2716ff7bacbd55fb

SHA1
b1a510067b86e8093be3168c757519c75d262486

SHA256
2eb1defbe0fd833782ee38349e04d4a2d7d89c70246172d5f728a65fa93b47b9

SHA512
524ba331702cfdd04082d3d65b3ae4abbbb53eafe8d0f1ada8739ad8cabe97999258a0231e55f0dd1a8ff6f631605a3a214734ef4045a48795d30952113f50c5

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11.exe

Filesize
332KB

MD5
0d905bdf98a16dc6662c5b117e213e06

SHA1
12342c7bf296e027fcc9b61778880767c4bc4c72

SHA256
9cafbcc00ebc8860c3e9c2e0a278b24ae5205e8c36745e6ce377fa680afaa72d

SHA512
832ff7575e9bb44d6cfc9e497ae2fe9cb9b916459af7aeba98a1fdfed8bcccf517b178dcd8ab6b09f0c6e054628d2e36095ff3a18bf9165dd685d02e4a582286

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11Config.exe

Filesize
10.2MB

MD5
5bd0201feeafadd51ea1075a3e4eab59

SHA1
4564e76e8cb9d36c3c688a8672d8dcf0a074f52c

SHA256
213eb120dcf252ffd3bb40c0e27e3535f523c78c964fe83dd3b1b51086b5eeff

SHA512
2a16404b16e76928f3d5d2f00aad36dac94cbe89e900538559454c5e6941fac24da292698ad95e104ffb9ac869b0843a15f4e87a329c227d971f735fbe0e2deb

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe

Filesize
265KB

MD5
f70fbcc9916e38d414157a0deab1c4ef

SHA1
e7da005c8fbc1d309b28902cd2fa3d11022f42bf

SHA256
915737d623601c90fb63745a2ce2086b0b6c9551ff3e4b0156d705d8452cb95b

SHA512
50ca193c257a4c2b47d024cd9a002473aa69b64378097677b1265d456716292aa8d27d780082227aef2629970f11de3c4bd5d2c5073fe3c25972d06ecf5b52ed

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11_64.exe

Filesize
365KB

MD5
46c398c5e82a61580b00b1aa8cc268f0

SHA1
b4d77f62a166521a791ac819d5f15b36089736b5

SHA256
0edd8851ef648039d36f3669bbfdcaee1ef1e45048b224af7f0358758db4604f

SHA512
0ff323d3d6b8eaa699a808991ded23bf572c844cad11fa987d20f482cfcd6fa21c41724484b1b5f7c3c42e1b6181add58a29966dea1726d3eb2febb7d3abc2dc

Download Submit
C:\Program Files (x86)\Stardock\Start11\Start11_A64.exe

Filesize
382KB

MD5
1ad990f26a923a418f0b03dcac0f964b

SHA1
337ae25698287fc151959ca727fd9f89b7bec7c8

SHA256
4690afc0120f278ef47db782ecb8d0f70426157a91a2c8dc8a8246f5fc57a926

SHA512
5438bff71b7e3fc117e3b60482062f5b85b798aa1407441a82a7c8ed4b5d894d5f53c8c410e53a56655a25fa5965affad44a66cbaad92ebaad45df75086c09e6

Download Submit
C:\Program Files (x86)\Stardock\Start11\Uninstall\uninstall.xml

Filesize
69KB

MD5
6abb4f1e60c013dfa8d72a175a6ec854

SHA1
549dfcaa5fc05e04eabbadf55fba53a97f526b89

SHA256
0a6a8a999a21d601eee7400b73431217fd9f15cc86f474a2298d8b6e0f48f05b

SHA512
9df1cb8c68a80a5e16b4b609ed60157285eb2bda74d026859843a348dd2b134dd0d5937fe62a2682198553d4b61dc7f2337e28381923a5911d010f2158308ab9

Download Submit
C:\Program Files (x86)\Stardock\Start11\Uninstall\uninstall.xml

Filesize
79KB

MD5
d5cd8b14585fe21865c260a426a82852

SHA1
4346c68e2a4eef30edbd2823c24bcaaf8f950536

SHA256
a5f96cbd1eee073ae875fdb3268a64a27392ab19cde2fdfe30ba2db64d0d9d9f

SHA512
aba3e2aac30c85953c171108b75d5aaf9f72e2892978a0165d9aef1c348bf1c304fa355437ea41025b3598fadadf4dcfe205167fa7944e21a51e2adffad2821d

Download Submit
C:\Program Files (x86)\Stardock\Start11\start10_64.dll

Filesize
3.5MB

MD5
1b30ac6f20f145b93f9a91a948f8e488

SHA1
85be08878fd1ef0fa99098cf81c753b8873c40a1

SHA256
d370ab1d6fef0bb03c4e06208d7afa0be2251a91a4e0e766dcf5d0f85167cbe4

SHA512
449c3899a917bbba149d7ab7e39cf992d7422f4fc502000596f93c0ec6042e9860f3483e181a33d5080cf2a878c30eb2b94af28df00537ab917ae15c9f98c906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B460DBDB6691F360C14B4617119E5588

Filesize
727B

MD5
15b844616e326cb7cfac3c136ca5d573

SHA1
5582c5f311577316d1fe4aa24da572f8d2509d1e

SHA256
f43098a4ef1a67a5dae77078216d83665791d1f9aba3bbfb96c417a3f3183062

SHA512
059cd1994442b1d5f5c9ad98b5d741fe3d3bae6e4714cc48b04a9041590996bf1e2132e3925532f961d82de7ae6b2966e9311587acfa85155f9de5a4b4c096d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B460DBDB6691F360C14B4617119E5588

Filesize
408B

MD5
e252a25609dfdc0f2dfba85eea6478a6

SHA1
ad16cfe2c9102fd09de33fc2e234889f80fc7d22

SHA256
3d7cbbea68289d96bf801bba47665826089b49aaf309beaebf2aae660a86a465

SHA512
e9cd2f76d4a27aad5ba2195bab2b9363acbfb75662d2ca264608416664a679edfeafa67a977601676231e529a88957f1c3d11916848b22e92ac48cdef5d51cb3

Download Submit
C:\Users\Admin\AppData\Local\Stardock\Start11\SasLog.txt

Filesize
656B

MD5
364790733e4d11183215333b91ce8447

SHA1
af38dd93072d23bd8352b6b00bb4fa174aef1105

SHA256
b7c385ac386873e708193914f52c8289301f81d6f972633ea4618ec2d5d7ec0e

SHA512
746beb7786f0cf346cb49f0853d47801b8131419f3a318a57489d080797fbd16ecbb780475922f43e78fee6f3e413b922b50151fcb845c4bfca2ad93fc1c17d4

Download Submit
C:\Users\Admin\AppData\Local\Stardock\Start11\SasLog.txt

Filesize
1KB

MD5
5558e3e0349804d5a35947c7b191d906

SHA1
de2f6bb276eecc1655fc2b088c861596d2e9d3f9

SHA256
e4111ec055a25343ee945240803b2592b9dc517b595f1883d99d102c58750efd

SHA512
6d58dcd29ecd43c9669fe276b8c4c31a67949388979ffd8861d0469eda799b593d9ad77cee6c9fcf0e0f70dbd447e7cbe7dcf3cb416ff8bbd7b850c7fb7c1e31

Download Submit
C:\Users\Admin\AppData\Local\Stardock\Start11\SasLog.txt

Filesize
1KB

MD5
6aa59d37c00e58739467182589df178e

SHA1
833c8c528f7ffb3f3c6f9f379283d15321f1d254

SHA256
a892fb60315835a943bb92c714dd177a08cd94f80c6215ba78f420bdfdac5b78

SHA512
d47f6a8672e5cef0c53b617396bf61aeb101e963f1190b56c0cd91b54b5edf66ea92219187edd2af270db69f4091bad700880e1a65c10c73d2651b9b136287d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG8AEA.tmp

Filesize
474B

MD5
c6247e9f51d328f2d7d1bcf2dde15ae9

SHA1
66428b3d3a9789b980c7a820fb72ffb31e200f8b

SHA256
8540a5e828472342d208efce8a59cb130f735331eaaac4dda3a5ba8b4dbc17fd

SHA512
e093d2d3c1826afcac9158e9b5c98faa03c3a1d5642ea4f97cd93a8755d3f5be594651f3c9fbddd4df07850c13158fc84bc7541ebb84a501086f3916244523fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start11 Setup Log.txt

Filesize
84KB

MD5
499005cee4aaf59ee7469f61380e7ec8

SHA1
746889527fe279f5f269204a962c2e7170560b28

SHA256
277af002dae7b7772bdd7893ceb96e109e7402779b50c67142ade6979123b37c

SHA512
23d7b18b1f7c0c9620e66873bc8f897c208902b205ee960b4698bddbb620c18659618013188e7a206a42e4d9502e34e9b21e57f283ea07d37b0586bda7a44802

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
39B

MD5
490757745bcf2271dc963dcfb4b4a016

SHA1
46bab9744d5d692befe75f88fd515fa4f103a86b

SHA256
98f3cec50e55e4ab08153837b6d59fdbaeb154151271d3d0b52eab504f393411

SHA512
699cd5ae0fbec6b524ed4306b18c1ac20bd949272c28ae6b61308688b0c1cdb6bdb0a6b6d1b54e43257bb2a4e4ffc68cad203ad04818c08a33d6f5134a12a69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\eula.txt

Filesize
22KB

MD5
1f286ee31c288e8aae5200acc5b519b4

SHA1
fe76c325ca8a55e5354021b416ffe3b78c625fd9

SHA256
2896108090c277cbdb24b5fa6c87e6aa77bf4ed986f4b3ae4da0720c8de61ed2

SHA512
45062a327efcd0fe051940b950388ff58f5363a128c43b85fac3c9352b918707accaafa346292d62fe6f02be6d0366eade2954fb867fa48b3a50b510d72c12c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/1296-844-0x0000000002B20000-0x0000000002B2E000-memory.dmp

Filesize
56KB

Download
memory/1296-840-0x00000000006F0000-0x0000000000704000-memory.dmp

Filesize
80KB

Download
memory/1296-845-0x0000000005B10000-0x00000000060B6000-memory.dmp

Filesize
5.6MB

Download
memory/1296-850-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/1296-851-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/1296-852-0x0000000008AC0000-0x0000000009266000-memory.dmp

Filesize
7.6MB

Download
memory/1296-853-0x0000000009270000-0x000000000979C000-memory.dmp

Filesize
5.2MB

Download
memory/2428-48-0x0000000005B30000-0x0000000005B33000-memory.dmp

Filesize
12KB

Download
memory/2428-839-0x0000000000110000-0x00000000004F8000-memory.dmp

Filesize
3.9MB

Download
memory/2428-47-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2428-13-0x0000000000110000-0x00000000004F8000-memory.dmp

Filesize
3.9MB

Download
memory/2428-95-0x0000000000110000-0x00000000004F8000-memory.dmp

Filesize
3.9MB

Download
memory/2428-96-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download