5f64190eb10b2cbba325b88f6f2e1a93c872383a6e62fed6a46842ed25b4489a

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_Silent Install.cmd
Size

1KB
MD5

b144f4c817cf6a66b2e468b1379dc669
SHA1

adfe8b7d329561bfbeb14dff6a281b46a7da1eb3
SHA256

ce86cd60690255a5a5e7375a7ba779bccbf26591f5948d3ca246d1fc599dcb41
SHA512

39e03d822f915ef9c4f6a9cd1ee9e593ada79060cbaae1d4f06ee48c7aef2e9c3ce5043e1966a390e777b319696a2c5bfe49882fbf0023b8053fd45b1d693fea

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1968	StartBack AiO 1.0.65.1.tmp
2524	StartIsBackCfg.exe
1972	StartIsBackCfg.exe
1832	startscreen.exe
4684	StartScreen.exe
3352	StartIsBackCfg.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\""	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe

Loads dropped DLL 10 IoCs

pid	Process
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
2524	StartIsBackCfg.exe
2524	StartIsBackCfg.exe
1972	StartIsBackCfg.exe
3984	explorer.exe
4684	StartScreen.exe
3352	StartIsBackCfg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	StartIsBackCfg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini	StartScreen.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\StartIsBack\StartScreen.exe	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack64.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (06).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (23).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (59).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\Shamrock.orb	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (26).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (45).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (48).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\Windows 7.orb	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (03).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (21).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (34).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (80).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (39).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (44).bmp	StartIsBackCfg.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\Orbs	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (13).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (17).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (28).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (36).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (38).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (57).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (60).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (67).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (69).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain10.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (56).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (62).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\UpdateCheck.exe	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (11).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (25).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (31).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (47).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (50).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (63).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (75).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (10).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (37).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (66).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (79).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\AeroByDesign.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\AeroSquared.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (16).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (27).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (32).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (73).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Aero 8.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (46).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (54).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack32.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (02).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (08).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (14).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (33).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (40).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (61).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (77).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain8.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (04).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (07).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (29).bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\orb (30).bmp	StartIsBackCfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4172	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
1944	taskkill.exe
3444	taskkill.exe
3788	taskkill.exe
5096	taskkill.exe
3352	taskkill.exe
4088	taskkill.exe
2312	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ImplementsVerbs = "startpin;startunpin"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\HasLUAShield	StartIsBackCfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "789"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2705"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2209"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "162"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{2DFF77BD-24E1-4098-8403-91C413CAEC18}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\DefaultIcon	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.ControlPanel.EnableInSafeMode = "3"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\ChangeIcon	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\SeparatorBefore = "1"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "789"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ShellFolder\Attributes = "0"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}	StartIsBackCfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2209"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ShellFolder	StartIsBackCfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "162"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{00000000-0000-0000-0000-00900000000}	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSILink\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ShellFolder	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open\Command	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\Command\DelegateExecute = "{A9249952-F4C6-4BCD-9B44-6A5BA9B5209E}"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ShellFolder\Attributes = "672137216"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6933"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-reactivate\shell	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open\command	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\ = "Taskbar Pin"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2211"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2705"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ = "All Apps"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast\IconBackgroundColor = "0"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\SeparatorBefore = "1"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Command	StartIsBackCfg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8774"	SearchApp.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4340	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeTakeOwnershipPrivilege	1972	StartIsBackCfg.exe
Token: SeTakeOwnershipPrivilege	1972	StartIsBackCfg.exe
Token: SeTakeOwnershipPrivilege	1972	StartIsBackCfg.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe
Token: SeShutdownPrivilege	3984	explorer.exe
Token: SeCreatePagefilePrivilege	3984	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1968	StartBack AiO 1.0.65.1.tmp
2524	StartIsBackCfg.exe
2524	StartIsBackCfg.exe
1972	StartIsBackCfg.exe
1972	StartIsBackCfg.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
4684	StartScreen.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe
3984	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
1968	StartBack AiO 1.0.65.1.tmp
3796	StartMenuExperienceHost.exe
3984	explorer.exe
3680	SearchApp.exe
3984	explorer.exe
3984	explorer.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2560	4332	cmd.exe	81
PID 4332 wrote to memory of 2560	4332	cmd.exe	81
PID 4332 wrote to memory of 2560	4332	cmd.exe	81
PID 2560 wrote to memory of 1968	2560	StartBack AiO 1.0.65.1.exe	82
PID 2560 wrote to memory of 1968	2560	StartBack AiO 1.0.65.1.exe	82
PID 2560 wrote to memory of 1968	2560	StartBack AiO 1.0.65.1.exe	82
PID 1968 wrote to memory of 4340	1968	StartBack AiO 1.0.65.1.tmp	87
PID 1968 wrote to memory of 4340	1968	StartBack AiO 1.0.65.1.tmp	87
PID 1968 wrote to memory of 4340	1968	StartBack AiO 1.0.65.1.tmp	87
PID 1968 wrote to memory of 2524	1968	StartBack AiO 1.0.65.1.tmp	88
PID 1968 wrote to memory of 2524	1968	StartBack AiO 1.0.65.1.tmp	88
PID 1968 wrote to memory of 2524	1968	StartBack AiO 1.0.65.1.tmp	88
PID 1968 wrote to memory of 1972	1968	StartBack AiO 1.0.65.1.tmp	89
PID 1968 wrote to memory of 1972	1968	StartBack AiO 1.0.65.1.tmp	89
PID 1968 wrote to memory of 1972	1968	StartBack AiO 1.0.65.1.tmp	89
PID 1972 wrote to memory of 1832	1972	StartIsBackCfg.exe	90
PID 1972 wrote to memory of 1832	1972	StartIsBackCfg.exe	90
PID 1972 wrote to memory of 1832	1972	StartIsBackCfg.exe	90
PID 1972 wrote to memory of 4088	1972	StartIsBackCfg.exe	91
PID 1972 wrote to memory of 4088	1972	StartIsBackCfg.exe	91
PID 1972 wrote to memory of 4088	1972	StartIsBackCfg.exe	91
PID 1972 wrote to memory of 2312	1972	StartIsBackCfg.exe	93
PID 1972 wrote to memory of 2312	1972	StartIsBackCfg.exe	93
PID 1972 wrote to memory of 2312	1972	StartIsBackCfg.exe	93
PID 1972 wrote to memory of 1944	1972	StartIsBackCfg.exe	95
PID 1972 wrote to memory of 1944	1972	StartIsBackCfg.exe	95
PID 1972 wrote to memory of 1944	1972	StartIsBackCfg.exe	95
PID 1972 wrote to memory of 3444	1972	StartIsBackCfg.exe	97
PID 1972 wrote to memory of 3444	1972	StartIsBackCfg.exe	97
PID 1972 wrote to memory of 3444	1972	StartIsBackCfg.exe	97
PID 1972 wrote to memory of 3788	1972	StartIsBackCfg.exe	99
PID 1972 wrote to memory of 3788	1972	StartIsBackCfg.exe	99
PID 1972 wrote to memory of 3788	1972	StartIsBackCfg.exe	99
PID 1972 wrote to memory of 5096	1972	StartIsBackCfg.exe	102
PID 1972 wrote to memory of 5096	1972	StartIsBackCfg.exe	102
PID 1972 wrote to memory of 5096	1972	StartIsBackCfg.exe	102
PID 1972 wrote to memory of 3352	1972	StartIsBackCfg.exe	105
PID 1972 wrote to memory of 3352	1972	StartIsBackCfg.exe	105
PID 1972 wrote to memory of 3352	1972	StartIsBackCfg.exe	105
PID 1972 wrote to memory of 4172	1972	StartIsBackCfg.exe	107
PID 1972 wrote to memory of 4172	1972	StartIsBackCfg.exe	107
PID 1972 wrote to memory of 4172	1972	StartIsBackCfg.exe	107
PID 1968 wrote to memory of 3984	1968	StartBack AiO 1.0.65.1.tmp	109
PID 1968 wrote to memory of 3984	1968	StartBack AiO 1.0.65.1.tmp	109
PID 3984 wrote to memory of 4684	3984	explorer.exe	112
PID 3984 wrote to memory of 4684	3984	explorer.exe	112
PID 3984 wrote to memory of 4684	3984	explorer.exe	112
PID 3984 wrote to memory of 3352	3984	explorer.exe	119
PID 3984 wrote to memory of 3352	3984	explorer.exe	119
PID 3984 wrote to memory of 3352	3984	explorer.exe	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_Silent Install.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\StartBack AiO 1.0.65.1.exe
  "StartBack AiO 1.0.65.1.exe" /SILENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\is-FD26D.tmp\StartBack AiO 1.0.65.1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FD26D.tmp\StartBack AiO 1.0.65.1.tmp" /SL5="$9003A,5455581,64512,C:\Users\Admin\AppData\Local\Temp\StartBack AiO 1.0.65.1.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
      4⤵
      Runs .reg file with regedit
      PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe
      "C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe" /trialover
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe
      "C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe" /install /elevated /silent
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\startscreen.exe
        
        startscreen.exe /stop
        5⤵
        Executes dropped EXE
        
        PID:1832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM startscreen*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\Admin\AppData\Local\Temp\sibtask.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4172
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Loads dropped DLL
      Enumerates connected drives
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Program Files (x86)\StartIsBack\StartScreen.exe
        
        "C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious use of FindShellTrayWindow
        
        PID:4684
    - - C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe
        
        "C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe" /welcome
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (01).bmp

Filesize
34KB

MD5
11e0323b133fd9636303628ab5c29ddb

SHA1
d3598f798d9bcf6325bb9ff435f399096a6c5749

SHA256
2b82e87a06200df422200650aed769c5a1540916dd655c0e30053663c10102b6

SHA512
69033cf3f036cca0fc332e9539c44816f5cf68279bc45b952902234e328a7fce6917e6c9a13f47b152a736b4c766f16c92d1488f74e9ab5bc63a08480e695c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (02).bmp

Filesize
34KB

MD5
f865369213b4c92d49714c0f48c59572

SHA1
5eff868cef5a83d39df60ea4693e86eba74197a3

SHA256
de8394e10efebd5baf96d4b7e80acfa331cff056946d21991455588d6a566da8

SHA512
5b50139990321eb7ac6d3815a0a783e8234c0e3f25ddfe0b186a1174e7b46eb8c876cfb9693528910be12e45e44f0b1be37a0db2e349f02844bd3a662c6f5be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (03).bmp

Filesize
34KB

MD5
84b762afb8d46522c2f6bdcda3b19b17

SHA1
b24eb73a17842ac6328a0ec2ac720e2446fee02f

SHA256
16b04215eb46520a144481a1542be34c5efae624f842c6e8f52fe0621dfb6add

SHA512
cb84d58b526d15cc69d12bc476ebd4a25f118333230f8364b134e1fa891523b7c9234c52e31a2b690f76f60d446baec111fcb55cb67c52274d24209a703342f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (04).bmp

Filesize
34KB

MD5
9a2045686e4662eadcf39610f696154d

SHA1
b83055a0fc7a875a0f4da68cedc9c5948935b347

SHA256
552089e47a13e90f8139bc9897645cf704ed4fd34ccfe2c69b1de1822dd1a090

SHA512
2ee5152f754c31ce1d4e7621918449d81dfaeb5c161fc85b79d9781cb211bcd58c97f739e3840a5f207ed3ddf1316cc3cc05f07a8ebc8d6b6acd717e78741f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (05).bmp

Filesize
34KB

MD5
6be004e878f09288c5bbf049117aa376

SHA1
95761dac81b50c4c699415aae2543c7e05e831d3

SHA256
0a28c543dace2eba41769ef91356fb8bf1d6b2db2c7bddabde117498df507201

SHA512
418a321c13cc5307248f2051f034dab76b5f1148fdcd69759028ffa92fd5ce8a6c0d2c2aaccff4a934bc1214f520b52f3ccd34e5e9049a01a5df0998eaeec6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (06).bmp

Filesize
34KB

MD5
d4f6147833849b087ce3e65f6550d284

SHA1
5bd37d7770722bb86ca11741d5097c8e948e534c

SHA256
a7cbe1130bfedc483854d7a966403aea14112f145ed0d36ee687038188019887

SHA512
495f09d546acd2bdff3aec3ad69b39ea90177f12f3678532c9f3d78be69db4a9c78b1e191eb30f214d9d507ebf6b6a68e2b54dfa9da0d939e4613b7a03e07f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (07).bmp

Filesize
34KB

MD5
1ca29f2d4d5e4ef74be52a70a0837ed6

SHA1
0731599fb817cf1e8a42719ca0f02b4d51b366bf

SHA256
9aef1a08705528cfc435834fe3fb4ee2dce1c86a04b816cde32135d0677039b6

SHA512
143b3747cd45c0d198237d5f26da21f785e1d59173d57adf92327100841fddec1ca1ad30c90bbf2d04180006383c18c63ac6f4980a74c49e677d5321342f9d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (08).bmp

Filesize
34KB

MD5
5c3f2576e9564c2b0eb59ab03a92e40f

SHA1
47551505e2503ef6770d8985537fcb3006fef07e

SHA256
78faf19bf001ff0a2513d28a02a6f43f7c836ba95a041ad10e6633408fb88735

SHA512
c375879339463474a4f91b99f49d2e689c3a87a6d9c1731fa412078b0f8741799b8b655dd71172d7fb69eb5a2a23d8c22b8dfcb4e073d92fc509571c4a60ca97

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (09).bmp

Filesize
34KB

MD5
05ad757b09d24d5ba4307944881df4e7

SHA1
d75cade8c50a490051c318073bf70ec4574c4b50

SHA256
2a269ca94130a164f57b20564d5968f8da8b1e967df98da085063b9722550b5d

SHA512
c8f187e1e71f47c4a8793f9e1e2261009bcedf634f9f2f11359f6a5f5685bdc35b6d5052b2110502d710e4db10432a1b5baf7e18e5b90bea0e0b496a2e10dfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (10).bmp

Filesize
34KB

MD5
be11528dd486f730b077ed491ac4f18a

SHA1
c4e5e48e4340d82ad2dedbfb9a8df8ca6f8ce38d

SHA256
e840d6b77591898fd305510f10cf54e887cc867806efdeae673eb8f187ba536f

SHA512
1b60b412b9ee34b74b9336ac00a8f2c3018cd97c9e1112e2bb1b9dec85ee89174803a78eb757dff1d107275bbb9ff6cf809e6f367ebb9d04d2ec43651dbbcff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (11).bmp

Filesize
34KB

MD5
1aeaa39614c8410c2edd33011ec7b4ac

SHA1
6218e16123b389fd80e30c5d88070d97113ae230

SHA256
f8ceae50c591b7432d5189167a8a6ec4770dac32359a6b8d759b093e9e683dc8

SHA512
86cd0b4c29ed36b05b517314e3cff5299711dcf9edd3ab94c8cc210f10c2b1ee5d2843de368b6e1feb04dc8dd2a58990b100ec9722adfdf4dc6d4864a9a366e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (12).bmp

Filesize
34KB

MD5
a48ac3f2b9bbca87a6d1463020c6fdba

SHA1
850d5f15a6c26da1ebb82bf03a63a2a5b7687810

SHA256
cea7aafce82159a8561379222d4d61cac3db6a887b842d6eba452d5a19758caa

SHA512
370270b4491f4902d63fca40d3d0d55065d4506c09fbe7804f9a792800a18f4ba6af22ee45b7517d4370a2cf00f189df107d3465996eba801a6e8a20e9801b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (13).bmp

Filesize
34KB

MD5
9cb64f0a2e5d4083660e9ee4a923b726

SHA1
d54449559bd47acd846daef230067a38b85dc8a5

SHA256
05fd26a1be27fc7877e5a69b71add5753a60ecfdfe79a57ee9b405a9f14a5583

SHA512
38c5e5fceaa0ff8157e5afdbb9316dbe8b2ad59fb2d0cd1d67176c759c1cafcbab55922a4cac93601ef0abf46327fa182dfc08fb3be15c40b3b671614a942d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (14).bmp

Filesize
34KB

MD5
85c636c7dc3a4c46a71329f8661b945d

SHA1
deb880d3536361eb930249e5c385080d64ff8210

SHA256
47ebba452925a7324b61b4a25354c36c502a3f98d7b0a529430570c33faca104

SHA512
3dd3f5b80e6b8e83d5613cea013733f6a6ab0e9c12279d54a1cb7e8aee9e2cf5f3b0a656b45b22cf9b056acdd7e06ffa401ad995551de1162d0fb5f73dffad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (15).bmp

Filesize
34KB

MD5
d94cd12a5a54f9cda39dcf9f90a2d039

SHA1
f216f917cc857a8c7e64ad26ed67dda57c2f3543

SHA256
d1cf536962fdcf19a7a869a0cdb4cadf5366e4b2b55133824bf22cb44483f188

SHA512
c691442a8304be5611e7085195f17b2d818ee61cd2c64dc0d247a8d0a8fef11a17d4bc8128dbbda33162512a9ce5d9aea17b010c84019f8021302958ae844a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (16).bmp

Filesize
34KB

MD5
beb51dfeca5ca703c9638b2f480efa45

SHA1
49e3e5e85247f90c06c78d22e98e20df32a3c19f

SHA256
cf73486d08712515288850d0ee62ab4b8eb18c3ded0da79ae77adca2b80ac187

SHA512
e7f35ea7b456be1d56f06ea8940334d02f7ee07446bec132a8374fe5de1d07bc7d984cdbb8e2b1ed7f87de7cde551315afde7d47264fdc5ba42a622827b22f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (17).bmp

Filesize
34KB

MD5
4a9eed0db858c33126b780ac2ba1743b

SHA1
9d6529ea98363723ad29db6c0fba73aa1f98ff47

SHA256
c847df3e13e05cfcdd64a0a1577b09099b0880311d331449561b5fe70d303425

SHA512
4db84aefb5a95a41c07ad090df88fa38644ff955f7b77899392e41db53f8da5cb1418e285ada0016597ddc19b741d0ba9e46695d6c330fd2d50051a709adbf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (18).bmp

Filesize
34KB

MD5
016f0f349796d527d4dd81a722c50442

SHA1
469968919c49062eed2eba36733f9e1184ff6c0a

SHA256
cb05de60c38ac2c64f8dc504efbef3f008f876b607de7b3d56dedfe1c43ecfa1

SHA512
bec5f1d0101c57b6080d70cfe27adc7251099d281074de1d014be5c2e4650238a628c8b4a5b27a9752c91e7c3b5f3e8947aa86d4f20ffd3d31fc3c9fbaa70ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (19).bmp

Filesize
34KB

MD5
6ae8407f29a65cc80c9fbc67ca896353

SHA1
cc235c9d1fa96ee896df22322ba5476e31f0d286

SHA256
d826704c4a810572f03ae06a6924d8377b5188bf4bb8fd837354578943fdc674

SHA512
45091c0e6167dceec36a9ed4db86eb4d557a494fbf7104c2fdade8a7d0a315555dff59f03614f0ec6a5a1f8f02144afb98c98d7b43c624b3fa47cd262d654e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (20).bmp

Filesize
34KB

MD5
39b4473586d14fc8c442d19c64214183

SHA1
220e703dca406720130135676804d8a9fb4853ef

SHA256
46567879ed182b5bf29d82ef2c482c184b03f37fbe49d5e746f6b753ab1e30ea

SHA512
8313f885384c44ec05402b366d94ec73b40aed9f88f57463311d8dd0a17ec9c6c45ec1c4231b8addc721d791bc80115f1392336d41d42dbb3d97251e33dc328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (21).bmp

Filesize
34KB

MD5
43fa2ad0400e788c178785c9692e09d4

SHA1
455d087edc3a2dd1aae2ac0b0ed2b749e44e5cac

SHA256
adf4d3e7b8a94b8ed72a88bdaf648c34ed2aa73475a7a7c2962cd8ec72ad9fd7

SHA512
0e570e04ff7cc929bb80ae0e4e4de6d576f93a799744d969b7055cb380675c695f62fa4b1583b40adee9ac9fb6854e099661d70a3b76830f78a9a24d1af7c2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (22).bmp

Filesize
34KB

MD5
6aa5b24db6ab2857a5c6b8549e28345b

SHA1
015fd05aa6462444e0612a4b34cd19747bd24d29

SHA256
66bc953ad69f3ef58db527d46ab6907fb2cefe00c758f6ce4a2909da1b37b9b1

SHA512
b1b7a71528dba990fc3a17c3a4ed11b657a31ab25abe15ecb7a5122998ebd1b8d008cb02d611ea982b646904d08282127b39da3aecaa3839474ca4fefdafa1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (23).bmp

Filesize
34KB

MD5
7d4072be9c7929fc8187d78af6a1c6d2

SHA1
44593b17b347470117091ccc0d98d1c508dc637c

SHA256
94368025ae8cfcab80b2ae56f76d43f80377e853f184c3174d36f8dd0e842831

SHA512
cc706085c5b1f91dccff8b287df5b91038af6cfe9cdeeb43369fbad4354f93bd7af41e726e5e87bec4ced1414f87ef85680687d4e6877311408edde8ef79a421

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (24).bmp

Filesize
34KB

MD5
ab0b85e42cc3e083b469346a5d81acf5

SHA1
825571a5d3583c7eeff4207c3ea2c45aa20bdf05

SHA256
c76c90bd3379a80d2eb14562771303948bdd63badcaa306d251ff9625afb7979

SHA512
63ac4d450ef6e7d45fd1bb4b23b9492782c9bf6eec6315cc2815c426161d34e344b1b983be078ba1aec8ecfce3111fe32a69d8361f42485a621747c9ee5f3f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (25).bmp

Filesize
34KB

MD5
f5ee5dedd35f2d42189357c09fca0617

SHA1
0b7328aa178ae24ad78ea4069b45d0e096ca0c07

SHA256
7bb5dddf1a8c1751c5243e080d98b75d7bfaa3f25ba23b9d40254dc4c3660a82

SHA512
bfe150c15c3c60ab09cbc787173e8ed5566790b1d28a0f8c42cb1048c3d10a05e0aa19a83f215162cec4fbd4ed3a3474b22f6c5c6e1d411a5e771a0be27eb824

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (26).bmp

Filesize
34KB

MD5
289cc358c24d492ed493ee2d9a62663e

SHA1
3d35f2c2ba4a2d5edc51c2b53220322c93bb7a0d

SHA256
199ea1b6f14425afb8aa1d9915f8b536e675df0fe529303a491d86c2350aa306

SHA512
eecb52e7607e4bbde1cf2f4d45e28dc0127930d7189906d3479820eee68a3587beb58ddeb4f780ffb0100f1de41c433c41f1fad1d3155fafafb4f51b0ef6d311

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (27).bmp

Filesize
34KB

MD5
c8b03facf146f0e44fceaa4844743cd7

SHA1
28afc73268d497b1ada4c41c6329509446477f3c

SHA256
ac491c42a3a0011033480c4f7990b2e55142aaf9f6660adc46b90cdbf04ba623

SHA512
19fead4f47c187fa661d3d9dfeb85e2a15c9156a093d9b51769f150b3b8d2a93fd1ecf29ae17f547c8a8947362dedc48e6c736926b493b8caa5444f1a92d7b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (28).bmp

Filesize
34KB

MD5
26b0cee74d2e70c180c6d0a5940b333a

SHA1
11d3b2af99a2145b1be64b6a79c69af5251aeb7e

SHA256
e2f1c9b3f7665f8a7fc396a8ebb86c362f1a774f7eb8ac1593f804a9d4e3ccd0

SHA512
db1b59f7ffefd7548ae969455dd48a6cdbbb598ce27793e3725ed3521c6b7e9ed03d1e14f4ec733114e78f45e205d2439532a828da0462c682f96b5758070604

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (29).bmp

Filesize
34KB

MD5
119e37a4495d378dca239ed42df24293

SHA1
b640a44bc683c86ebb39a882c5af709bfa9b2f79

SHA256
c741685f71dbc2b1bd701082d9f05680225460f8ca969ef0bbbc53809a62be1b

SHA512
81051404068b2d7b505be791c185e0c2363eaf7893f0302ec63acd182d589c0fefa7a259867ea8f0d412baa6f14e86cc8041f235ac7a573046078272744f7ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (30).bmp

Filesize
34KB

MD5
0aed674b1876b73f2c983adafbdff954

SHA1
27c894123b7588ef51854df2c0145b00d96a85f7

SHA256
bf3b66c1f46a56811fe870a26fbd40a4992a2f7be2dbfc93e27064b5425c13ae

SHA512
e0a4b70594078f9f1cd49f4dac594476aa20214131566a0176a0749fb960d8f4719c5aa9e0f34bab712b77c3bf031eea2bdc59be5bf938a9035af2a05e2741e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (31).bmp

Filesize
34KB

MD5
7f0983a0e55162ee265fc371dc925846

SHA1
6adf5985f7908182b005429a6ad440bc83662744

SHA256
50f036ff8aba59e5e6508f0c17261f2cf56385c8d49ac7ab9cfffb3884e0fd4c

SHA512
90ae350d9586e5673db5d20f927d8d1f46db01c58bec73cf861b996a34205442730b54af71a0a3031f0a0a1a311e3d94774f8f1c602eb1cfdcf8f57622f0b94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (32).bmp

Filesize
34KB

MD5
d467d93aaba40f4fa18cbe9df711ed6e

SHA1
f142afe431d112860660317ba5c7185f255bc5c4

SHA256
6353e7165dbaf256e3e6b8efc88f80a9892c73da954e58d4e25aaab07e4c3f25

SHA512
d7791676f4ecbb22568c4a48bbe850068511a77283317067162a514715ad55f60ace1b06546fed29c2a2b1d72fe458c8043e36107edb4bd089d621b937805c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (33).bmp

Filesize
34KB

MD5
1a7e81f92c5a28ee1e8e7055aed87de4

SHA1
215c5cffa3760b1db61fb1cd243eb3336e7fe6eb

SHA256
d95b0a0ed030e9f5498033d4a89ac89a82a5579321969546372edc1726a832bc

SHA512
79282c6f5c6e73df8365fcde4547d91707154553759c12c0167d7a28b52f53790cd5e6e1b0378187825ee46dbddc08c44bb3364934d639638511d88d82c06792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (34).bmp

Filesize
34KB

MD5
4794757c8ca78308458787f3a740c0d7

SHA1
c5c92c2e78b729fd10ec7e17ed4ac745f58f3ab2

SHA256
61be3df111568285c1b60a520730314a414ffe36302b2fbaa71980ed4d070b76

SHA512
24a6073457f20ef8d4b8c4dd93e82041c9b76e4136a02e5e7e2edb17d0b2abb0cb8af55a1355db73cb9864080345b1da00c8aa8d6fa63c6c6ec7ad8ea89da836

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (35).bmp

Filesize
34KB

MD5
a7b96efb9b52df67327a4a3d8404e489

SHA1
13f6d4226aff69a9105e777f172a0d00dde4e028

SHA256
d1bf3f7dac49704ad5e03a972c58cc77f8385dac099c6f6ea44caad2edad099d

SHA512
c5b5f2a5336b2b69cfecd781735ba8939b1038100d4758ed6167380f68f18dc3a94b69e8a6ba295c255218322fe89e8507f9c635216be6a3e58a81c7193cecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (36).bmp

Filesize
34KB

MD5
8194658f070d70aedb269cc65cbc0f84

SHA1
5b197b8bfcf0b6d17f7b6271ba920266b5912e35

SHA256
b3dee1018dff00954c32d44b67a35489815d2f89c7b0ebf1c73ea481e955d215

SHA512
cb2249a7b6087b420ce4718617cc62fc46d42a85c0f2fdf1cbb7b05e8446940be3c050038847f18363bc6c49c9412f2fab404baff0abf669f1e49584a32922f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (37).bmp

Filesize
34KB

MD5
2a61737fbcf4839605b8a88591420287

SHA1
5b00b2e6e08f3d9c5e55ff138a15286c3e305ed3

SHA256
2098d2f8711af6ed5db593c5e376469d19dcc06c63e26bc538395a115d640cbe

SHA512
4583c48b2a3a436ad11fc90d870c465906b5a6c21c7843199208dc30e26807e096babe07a39e2db1cba20491411c39f9af4a2e6cb014e3f21c031858e77e5379

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (38).bmp

Filesize
34KB

MD5
f58c7085824167f59267b342cba487cc

SHA1
37dce83ecb1e0f2ee96e0215b09369f86212afe9

SHA256
aa799dc6e5772e2f840f7a8d41b28c0d5066522518c6bbc764742e9e0e3b163c

SHA512
de9282d8a09e53ad4faf719af4b010ed9bbd0f0739f1b5d206f704cbbfdaded96a91c09d7a4a69a0d92fc9bfbfdfd671cdf1299ac72f5c2ed7f3356d750b83ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (39).bmp

Filesize
34KB

MD5
461ab87ce87dd2d705a4afecadcc97c5

SHA1
c55a30148421597e6708732fb27c6744d160abe7

SHA256
6a85ecf084e7dcb91ef5c3e00c59aa09606c79fbcecd27c13d5d80ae1a68a120

SHA512
35984d6bbdac244d3dbfc0752e31c2863a3d44330b0742e73726f3d0c6655c66051130010b14574b1e10ced0d6ff51928349c563a29d509de5f1a3b204fa898b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (40).bmp

Filesize
34KB

MD5
cf7e589ae37f5904e9fbde2965ab6c7c

SHA1
69c668092b5d54b2173154654906aa0ee3f38b0e

SHA256
e66c64b8b45dc49d1a2b4c2f8006175d7dc9907a3fb5f1b57cbfa9603f9ddf22

SHA512
fc7204647e2463fb86ded8e0168316b7ad2fd81cb09c7fdad385c67dbdb54575e5ffdf5c2d594a58af1654f207bd78970412cd0c52c6c854adc60e11f9171bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (41).bmp

Filesize
34KB

MD5
11af24816440ff78ab1b251b94630053

SHA1
e4d59d861fe837232b5ce3d358a80bfc82b1fd5e

SHA256
32234f5ead9a0eb0c9e486f55b0c3099ad3cbe612bd9784441900e170e711bb1

SHA512
473622272776acc0aa99fb598ea8c9dde80b36b5ae01aef3225f8c822e243477655dfa630a666fa7bf33f1ccae7dc4ac49397d6b77d9ff1f3c6c6e7165665a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (42).bmp

Filesize
34KB

MD5
a9e1f17b43186b3fa5c0ba1a174652d7

SHA1
44bd15d8509b003b55e6c4f234e2d47aeb33e285

SHA256
b28660cbddc6cbb3a0d378bff574df30e6321b7313a7b233f39b16f5ef4b3c89

SHA512
2134677128fcb48df80dc1b19f2ecadc1a0e6ccee55f045570384764ccd11471d875c1d8a69d5a669314d0cb22878251ff4f6cde50649b116afccaebfe5316b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (43).bmp

Filesize
34KB

MD5
eb005c0553af8f893f5471421a8c128f

SHA1
39e5c66a4e043929149dcb5277d071235f3b110e

SHA256
f19a6c7a37b1dfd71340dff139367c3e3db5b9bfab58ffda50f0230ea7e9bf8f

SHA512
0d6b30a4377596e42e78931a89f2b57936552e9369e1bc6775be12308256e7a2dcb78506f4200d13267f4f33fbe9ed34841ed028e14a30fa2cbe63826b691ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (44).bmp

Filesize
34KB

MD5
f4886ccb34a6a99d4e9be11e8a774690

SHA1
21d765bd0393e2c9123d88116a03005832c4cbbe

SHA256
2cdaa80c9e070142afb278cb501d4a94695fa81b6a670ae013d13484410b0e9f

SHA512
95edfd1fc61957414e4e965dc76618c839fa0b0da475afcac25353730f16938f1cbc38abb474242aec25fba90682b19c2a65bd0188174b527031a3b4fbcf9e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (45).bmp

Filesize
34KB

MD5
3dda902523961fc7f823abb903b3c88d

SHA1
69f41bd0ced97d02ed00d6a07e1826066908fc46

SHA256
53ad5683d6b81253e0f36c1a13053ae1e31e201e94ad77e1af1a46c0ea0b3d48

SHA512
bcf52fa0cfa2aefb4ccfa51be8144555ec977e48cde70d4aba4d541484417cbac516b22634e3d5c987e240b734c33e7e3829de34d2eafc5e0e2b8f99f81eaca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (46).bmp

Filesize
34KB

MD5
04f34709bc39f206ee3b38a6be5d1107

SHA1
71aac5f85311ed482115db11e1e47f160abc1338

SHA256
9f25480a89f5f23d40bcafbfa253bc9c98af10cda4c49f98cc96527a2e05cbfa

SHA512
a46e4367758772ea517e34731ea899d767aa9f146102301eafa8b2529b3f1b8aa1bc81be0c866b07c97562f5b0520e0bf4e7efa5e06dde8464b1007afda73cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (47).bmp

Filesize
34KB

MD5
06774e8ae7293c1017b99536e18d6c00

SHA1
be15d5cbceed89baee9f675a78fd813f8196b520

SHA256
736ba7a4d4a89cc3c9f0af9e5f9a6d015d2aab369225147e0bbe0e8cda7484f7

SHA512
9579698ea4baabce303cbdf0b841174cd2dfb68af3fd1992b20669bd22e6d8189262dc8646eb320511d24239c4f9c7ac1117bdd1dd726c6206999edbc3af1ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\Orbs\orb (48).bmp

Filesize
34KB

MD5
eedc73a3a3ad243aac0f19849678015c

SHA1
f959525a384f3cb2da8ccad2851453cab1fbbdfb

SHA256
c8529530dc5c567ce1338abe6e71fe8cee232493826cd5dc209feb2e19942222

SHA512
d50b9ab81f6d824992727a7079789d51640990012db04d8eaa41f599c7136a4767632548027662e6d3a2e17942cefce5b09b929c7172885cf941c6a5fad37343

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBack32.dll

Filesize
556KB

MD5
ed79faf2cde3e0736033cb9ca259070f

SHA1
d3bf387b5a1b8d134013c9559234819d240f8b93

SHA256
950ec9be7d715ef7edeca456ef004cf91a2866239c22ef014c5067de0560c385

SHA512
2eaa9a2850c9028cc8db1a65fa833c1b61a6c159287829a54fda4641d694f1d69ae22f9aec10c9707e9ef76a570e1f8c75fe7ad57a4af534eb3b0181222de120

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBack32.dll

Filesize
556KB

MD5
ed79faf2cde3e0736033cb9ca259070f

SHA1
d3bf387b5a1b8d134013c9559234819d240f8b93

SHA256
950ec9be7d715ef7edeca456ef004cf91a2866239c22ef014c5067de0560c385

SHA512
2eaa9a2850c9028cc8db1a65fa833c1b61a6c159287829a54fda4641d694f1d69ae22f9aec10c9707e9ef76a570e1f8c75fe7ad57a4af534eb3b0181222de120

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBack64.dll

Filesize
659KB

MD5
4554b1128d789502d588ee983faa9192

SHA1
965d9cdc3d0a8c2c814dd54aa7ece6f0c7edb193

SHA256
2b901fc6fe4c87c295fda8da3944119c9958fedfbfec7d453b0e7bbe397b6d71

SHA512
67d17355d4f817c2ecdbdee91127f717b7fcd7a7706ec2133b19712eede580e38d50ccef94f3e6bd35990b0bb2161e7ae483c0551252c5e89fe27f8b25fe341c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4df01e7aeaa1f81836aff6c91819961

SHA1
60fcc492941f6058d1d5b76a9395dacc9ea68675

SHA256
7949d7df6388b797745f04e52e365d7227b56026ba701c92d70bd8ebdf178dd7

SHA512
a0aaa8404572e2b091a328e82307d745f823cf9396e159ecb1d38b0d9cdf276e1b3e7a9f8e9e6f47e01b3573158428059d1acb686d0e31ed92ce2a3a74ec85fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4df01e7aeaa1f81836aff6c91819961

SHA1
60fcc492941f6058d1d5b76a9395dacc9ea68675

SHA256
7949d7df6388b797745f04e52e365d7227b56026ba701c92d70bd8ebdf178dd7

SHA512
a0aaa8404572e2b091a328e82307d745f823cf9396e159ecb1d38b0d9cdf276e1b3e7a9f8e9e6f47e01b3573158428059d1acb686d0e31ed92ce2a3a74ec85fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4df01e7aeaa1f81836aff6c91819961

SHA1
60fcc492941f6058d1d5b76a9395dacc9ea68675

SHA256
7949d7df6388b797745f04e52e365d7227b56026ba701c92d70bd8ebdf178dd7

SHA512
a0aaa8404572e2b091a328e82307d745f823cf9396e159ecb1d38b0d9cdf276e1b3e7a9f8e9e6f47e01b3573158428059d1acb686d0e31ed92ce2a3a74ec85fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\StartScreen.exe

Filesize
69KB

MD5
840ce7d1658df768be8eea777ae0326b

SHA1
66cdce89b79906b6afbebbd343d15bfb4af7f54f

SHA256
400fd2ab2180633a08eca3ad7b28910f25753b722107069a1b64b2b26ed2b121

SHA512
a7c82375456068694de262ec129de1c2cd7abd43ff9ac7c0477af07c402b0bda33ec8767b5b0dd1088eabb38d8b85333817a4914e61b44707c0a70e92cb32b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\msimg32.dll

Filesize
2KB

MD5
5e1bb511c41a1199b40cc2a46219199b

SHA1
b00d12d70fd2889eac8434f847523d6b71c266ef

SHA256
7aa4815e7379401328d8e241eb443c86620ac0b84850f6f1b41add74e3490ede

SHA512
9128fe41a76ecaa364b6125b649493cd29725f08a572133601f4ce4ee841a9efc99d24d5c06828b8aa768c89e6e7dd69b6a2f8687bd916aa7ca45c437002b20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\msimg32.dll

Filesize
2KB

MD5
5e1bb511c41a1199b40cc2a46219199b

SHA1
b00d12d70fd2889eac8434f847523d6b71c266ef

SHA256
7aa4815e7379401328d8e241eb443c86620ac0b84850f6f1b41add74e3490ede

SHA512
9128fe41a76ecaa364b6125b649493cd29725f08a572133601f4ce4ee841a9efc99d24d5c06828b8aa768c89e6e7dd69b6a2f8687bd916aa7ca45c437002b20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\msimg32.dll

Filesize
2KB

MD5
5e1bb511c41a1199b40cc2a46219199b

SHA1
b00d12d70fd2889eac8434f847523d6b71c266ef

SHA256
7aa4815e7379401328d8e241eb443c86620ac0b84850f6f1b41add74e3490ede

SHA512
9128fe41a76ecaa364b6125b649493cd29725f08a572133601f4ce4ee841a9efc99d24d5c06828b8aa768c89e6e7dd69b6a2f8687bd916aa7ca45c437002b20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\SIB\startscreen.exe

Filesize
69KB

MD5
840ce7d1658df768be8eea777ae0326b

SHA1
66cdce89b79906b6afbebbd343d15bfb4af7f54f

SHA256
400fd2ab2180633a08eca3ad7b28910f25753b722107069a1b64b2b26ed2b121

SHA512
a7c82375456068694de262ec129de1c2cd7abd43ff9ac7c0477af07c402b0bda33ec8767b5b0dd1088eabb38d8b85333817a4914e61b44707c0a70e92cb32b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUSJ.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FD26D.tmp\StartBack AiO 1.0.65.1.tmp

Filesize
911KB

MD5
2bbecb156b7d6f099cfa2361f481d8a2

SHA1
57bfd64b9ddf14015f667eed91c1eb472c3b1b3a

SHA256
b1c19d727278d178a28016ff6a5816c87ef7066f81111a0af74a35d854c05246

SHA512
a70f006fd333552794562dfea282a0622fb35d41e1d7aa9c93014d6a649ca59982303ecbc4cdd9678cbb4a1862b05fd28389813d0e1252d44469223f55414e71

Download Submit
memory/1832-196-0x0000000000000000-mapping.dmp

Download
memory/1944-200-0x0000000000000000-mapping.dmp

Download
memory/1968-158-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-159-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-153-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-258-0x0000000007471000-0x00000000076FF000-memory.dmp

Filesize
2.6MB

Download
memory/1968-135-0x0000000000000000-mapping.dmp

Download
memory/1968-140-0x0000000007250000-0x0000000007266000-memory.dmp

Filesize
88KB

Download
memory/1968-143-0x0000000007470000-0x000000000778A000-memory.dmp

Filesize
3.1MB

Download
memory/1968-183-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-144-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-184-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-182-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-154-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-179-0x0000000007471000-0x00000000076FF000-memory.dmp

Filesize
2.6MB

Download
memory/1968-180-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-178-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-177-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-176-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-175-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-174-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-173-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-172-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-171-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-170-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-169-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-168-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-167-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-166-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-165-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-164-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-162-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-163-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-161-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-160-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-152-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-145-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-157-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-156-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-155-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-181-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-147-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-146-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-151-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-150-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-149-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1968-148-0x0000000007790000-0x00000000078D0000-memory.dmp

Filesize
1.2MB

Download
memory/1972-192-0x0000000000000000-mapping.dmp

Download
memory/1972-195-0x0000000073C80000-0x0000000073C82000-memory.dmp

Filesize
8KB

Download
memory/2312-199-0x0000000000000000-mapping.dmp

Download
memory/2524-186-0x0000000000000000-mapping.dmp

Download
memory/2560-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-132-0x0000000000000000-mapping.dmp

Download
memory/2560-260-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3352-204-0x0000000000000000-mapping.dmp

Download
memory/3352-276-0x0000000075050000-0x0000000075053000-memory.dmp

Filesize
12KB

Download
memory/3352-273-0x0000000000000000-mapping.dmp

Download
memory/3444-201-0x0000000000000000-mapping.dmp

Download
memory/3680-283-0x0000022C8556F000-0x0000022C85572000-memory.dmp

Filesize
12KB

Download
memory/3680-279-0x0000022C8556B000-0x0000022C8556F000-memory.dmp

Filesize
16KB

Download
memory/3680-292-0x0000022C85566000-0x0000022C8556A000-memory.dmp

Filesize
16KB

Download
memory/3680-291-0x0000022C85566000-0x0000022C8556A000-memory.dmp

Filesize
16KB

Download
memory/3680-278-0x0000022C8556B000-0x0000022C8556F000-memory.dmp

Filesize
16KB

Download
memory/3680-289-0x0000022C96348000-0x0000022C96350000-memory.dmp

Filesize
32KB

Download
memory/3680-272-0x0000022C980E0000-0x0000022C981E0000-memory.dmp

Filesize
1024KB

Download
memory/3680-288-0x0000022C82650000-0x0000022C82750000-memory.dmp

Filesize
1024KB

Download
memory/3680-286-0x0000022C8556F000-0x0000022C85572000-memory.dmp

Filesize
12KB

Download
memory/3680-277-0x0000022C8556B000-0x0000022C8556F000-memory.dmp

Filesize
16KB

Download
memory/3680-269-0x0000022C834E0000-0x0000022C83500000-memory.dmp

Filesize
128KB

Download
memory/3680-285-0x0000022C8556F000-0x0000022C85572000-memory.dmp

Filesize
12KB

Download
memory/3680-280-0x0000022C8556B000-0x0000022C8556F000-memory.dmp

Filesize
16KB

Download
memory/3680-281-0x0000022C8556B000-0x0000022C8556F000-memory.dmp

Filesize
16KB

Download
memory/3680-284-0x0000022C8556F000-0x0000022C85572000-memory.dmp

Filesize
12KB

Download
memory/3788-202-0x0000000000000000-mapping.dmp

Download
memory/3984-257-0x0000000000000000-mapping.dmp

Download
memory/4088-198-0x0000000000000000-mapping.dmp

Download
memory/4172-256-0x0000000000000000-mapping.dmp

Download
memory/4340-185-0x0000000000000000-mapping.dmp

Download
memory/4684-259-0x0000000000000000-mapping.dmp

Download
memory/5096-203-0x0000000000000000-mapping.dmp

Download