Analysis
-
max time kernel
42s -
max time network
39s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-05-2024 22:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
StartAllBack.v3.7.7.exe
Resource
win10-20240404-en
windows10-1703-x64
22 signatures
150 seconds
General
-
Target
StartAllBack.v3.7.7.exe
-
Size
3.4MB
-
MD5
5f6757917139289b8cf4566a61c45173
-
SHA1
1dd8ef1a6365a30896bfb339caafd298a0d146f0
-
SHA256
2fac2937abb8ae4abb53d414a3494a1841bdc97a2928628ad4e01368e5158a42
-
SHA512
ccf629d6215b789cd6c3b33b33165e0edf60670a0a2d809a00fe90c1eba3931374c3b55ff1f99c4649924e327110a23828662e16be45a10f456d89514160eac0
-
SSDEEP
98304:6BOc/4Ib9mLM0kHQ+kk63RyWATDoTs6qIhMOZ5U:sOc/J4M0sW53YrhgmOZ5U
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 6 IoCs
pid Process 4564 StartIsBackCfg.exe 504 startscreen.exe 2704 StartScreen.exe 788 StartIsBackCfg.exe 60 StartScreen.exe 4508 StartScreen.exe -
Loads dropped DLL 9 IoCs
pid Process 1916 StartAllBack.v3.7.7.exe 1916 StartAllBack.v3.7.7.exe 1916 StartAllBack.v3.7.7.exe 1916 StartAllBack.v3.7.7.exe 2472 explorer.exe 2704 StartScreen.exe 788 StartIsBackCfg.exe 60 StartScreen.exe 4508 StartScreen.exe -
Registers COM server for autorun 1 TTPs 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\"" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32 StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32 StartIsBackCfg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini StartScreen.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini StartScreen.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini StartScreen.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\StartIsBack\Orbs\Windows 7.orb StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Styles\Plain8.msstyles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartScreen.exe StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Orbs\Shamrock.orb StartIsBackCfg.exe File opened for modification C:\Program Files (x86)\StartIsBack\Styles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Styles\Plain10.msstyles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Styles\Windows 7.msstyles StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartIsBack64.dll StartIsBackCfg.exe File opened for modification C:\Program Files (x86)\StartIsBack\Orbs StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp StartIsBackCfg.exe File opened for modification C:\Program Files (x86)\StartIsBack\StartIsBack32.dll StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\UpdateCheck.exe StartIsBackCfg.exe File created C:\Program Files (x86)\StartIsBack\StartIsBack32.dll StartIsBackCfg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4672 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Kills process with taskkill 8 IoCs
pid Process 1560 taskkill.exe 4480 taskkill.exe 3052 taskkill.exe 1380 taskkill.exe 1572 taskkill.exe 1336 taskkill.exe 1348 taskkill.exe 4428 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ = "God Mode" StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{00000000-0000-0000-0000-00900000000} StartIsBackCfg.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80705004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000003416e854169cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80705004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000300000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000002b8dde54169cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006b8308248a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ShellFolder StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Position = "Bottom" StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack32.dll" StartIsBackCfg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Position = "Bottom" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Extended StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df957}\TreatAs StartIsBackCfg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.ControlPanel.EnableInSafeMode = "3" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB} StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80705004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000003416e854169cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80705004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000002b8dde54169cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006b8308248a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\AppliesTo = "System.AppUserModel.RunFlags:=1 OR System.AppUserModel.RunFlags:=3" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast\DisplayName = "StartIsBack" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\ = "Open" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F} StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSILink\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ = "Start Menu Pin" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\ChangeIcon\MuiVerb = "@shell32.dll,-34608" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\MuiVerb = "@shell32.dll,-33553" StartIsBackCfg.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\ChangeIcon StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F} StartIsBackCfg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder\Attributes = "2684354560" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open\Command\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe" StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\MuiVerb = "@appwiz.cpl,-173" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\Command StartIsBackCfg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\"" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll" StartIsBackCfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32 StartIsBackCfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\ = "Modern App Settings" StartIsBackCfg.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2472 explorer.exe 788 StartIsBackCfg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3052 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 1348 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 4480 taskkill.exe Token: SeTakeOwnershipPrivilege 4564 StartIsBackCfg.exe Token: SeTakeOwnershipPrivilege 4564 StartIsBackCfg.exe Token: SeTakeOwnershipPrivilege 4564 StartIsBackCfg.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeCreatePagefilePrivilege 2472 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4564 StartIsBackCfg.exe 4564 StartIsBackCfg.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2704 StartScreen.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe 2472 explorer.exe 788 StartIsBackCfg.exe 788 StartIsBackCfg.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2636 SearchUI.exe 2472 explorer.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1916 wrote to memory of 4564 1916 StartAllBack.v3.7.7.exe 73 PID 1916 wrote to memory of 4564 1916 StartAllBack.v3.7.7.exe 73 PID 1916 wrote to memory of 4564 1916 StartAllBack.v3.7.7.exe 73 PID 4564 wrote to memory of 504 4564 StartIsBackCfg.exe 74 PID 4564 wrote to memory of 504 4564 StartIsBackCfg.exe 74 PID 4564 wrote to memory of 504 4564 StartIsBackCfg.exe 74 PID 4564 wrote to memory of 3052 4564 StartIsBackCfg.exe 75 PID 4564 wrote to memory of 3052 4564 StartIsBackCfg.exe 75 PID 4564 wrote to memory of 3052 4564 StartIsBackCfg.exe 75 PID 4564 wrote to memory of 1380 4564 StartIsBackCfg.exe 78 PID 4564 wrote to memory of 1380 4564 StartIsBackCfg.exe 78 PID 4564 wrote to memory of 1380 4564 StartIsBackCfg.exe 78 PID 4564 wrote to memory of 1572 4564 StartIsBackCfg.exe 80 PID 4564 wrote to memory of 1572 4564 StartIsBackCfg.exe 80 PID 4564 wrote to memory of 1572 4564 StartIsBackCfg.exe 80 PID 4564 wrote to memory of 1336 4564 StartIsBackCfg.exe 82 PID 4564 wrote to memory of 1336 4564 StartIsBackCfg.exe 82 PID 4564 wrote to memory of 1336 4564 StartIsBackCfg.exe 82 PID 4564 wrote to memory of 1348 4564 StartIsBackCfg.exe 84 PID 4564 wrote to memory of 1348 4564 StartIsBackCfg.exe 84 PID 4564 wrote to memory of 1348 4564 StartIsBackCfg.exe 84 PID 4564 wrote to memory of 4428 4564 StartIsBackCfg.exe 86 PID 4564 wrote to memory of 4428 4564 StartIsBackCfg.exe 86 PID 4564 wrote to memory of 4428 4564 StartIsBackCfg.exe 86 PID 4564 wrote to memory of 1560 4564 StartIsBackCfg.exe 88 PID 4564 wrote to memory of 1560 4564 StartIsBackCfg.exe 88 PID 4564 wrote to memory of 1560 4564 StartIsBackCfg.exe 88 PID 4564 wrote to memory of 4480 4564 StartIsBackCfg.exe 90 PID 4564 wrote to memory of 4480 4564 StartIsBackCfg.exe 90 PID 4564 wrote to memory of 4480 4564 StartIsBackCfg.exe 90 PID 4564 wrote to memory of 4672 4564 StartIsBackCfg.exe 92 PID 4564 wrote to memory of 4672 4564 StartIsBackCfg.exe 92 PID 4564 wrote to memory of 4672 4564 StartIsBackCfg.exe 92 PID 1916 wrote to memory of 2472 1916 StartAllBack.v3.7.7.exe 94 PID 1916 wrote to memory of 2472 1916 StartAllBack.v3.7.7.exe 94 PID 2472 wrote to memory of 2704 2472 explorer.exe 95 PID 2472 wrote to memory of 2704 2472 explorer.exe 95 PID 2472 wrote to memory of 2704 2472 explorer.exe 95 PID 2472 wrote to memory of 788 2472 explorer.exe 102 PID 2472 wrote to memory of 788 2472 explorer.exe 102 PID 2472 wrote to memory of 788 2472 explorer.exe 102 PID 2472 wrote to memory of 60 2472 explorer.exe 103 PID 2472 wrote to memory of 60 2472 explorer.exe 103 PID 2472 wrote to memory of 60 2472 explorer.exe 103 PID 2472 wrote to memory of 4508 2472 explorer.exe 104 PID 2472 wrote to memory of 4508 2472 explorer.exe 104 PID 2472 wrote to memory of 4508 2472 explorer.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\StartAllBack.v3.7.7.exe"C:\Users\Admin\AppData\Local\Temp\StartAllBack.v3.7.7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe"C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe" /install /elevated /silent2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\startscreen.exestartscreen.exe /stop3⤵
- Executes dropped EXE
PID:504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM startscreen*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM explorer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\Admin\AppData\Local\Temp\sibtask.xml"3⤵
- Creates scheduled task(s)
PID:4672
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Program Files (x86)\StartIsBack\StartScreen.exe"C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
PID:2704
-
-
C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe"C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:788
-
-
C:\Program Files (x86)\StartIsBack\StartScreen.exe"C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:60
-
-
C:\Program Files (x86)\StartIsBack\StartScreen.exe"C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:4508
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53380b54e3424a51ad98bd19884a6eb69
SHA19e5c9010f9e6c48b61f3ed8b638ed11658ed7b4b
SHA256d62d93bcba5ee7c1669261f8319602061a5928eddebd669c49c2cd5bfa24c7f4
SHA512fb1241644f878453b983eea240e694ac5d067fba0ba316c57e7b709a2196657f7cb548b5656daed0c5f1715a977ce77b302c10471c4619a418df2d06c1ac0450
-
Filesize
295KB
MD5ef55e07e1a2e47bb2bb749046cd150b2
SHA168362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa
SHA2561a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5
SHA5129c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e
-
Filesize
34KB
MD5641328c75e6b117545211db22dafcaa0
SHA1df4061f2b30b8cce58c2446cd6e8b86968ab46d0
SHA25676a72c9ad77843b58223dd588483ac1265a31c15aaeb47ee66d1925de787644b
SHA51254f265edd24cb26b4a550f65f8c3a70acc4fe2a95e03a43c14919d2b67f817162cdbd06aa9ccef86942f04a7e115b70b44164e83001f965cd7a627a06186d6b9
-
Filesize
295KB
MD585328e698e8a74852b4061a683915dc8
SHA1b898267f8574a34e6d605e541e5234c27dd53f5d
SHA256e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275
SHA51203945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f
-
Filesize
563KB
MD5e4b19c388cf6d649053e7f018388b9a4
SHA19114450f106c4e274c335f4e5d41fe40380a9607
SHA2566405b9ad8b1557381de5a3d51502f408891283ba22ad45166343261e703bee07
SHA512f990a6765a3bc8c3d36d8617e68237d83cd2cca4e05a71389f4381e6ef8b2c96cc9f04a6f9db74a9af95f30bfd36c72394acff8718e8ab6d16581eafd68ab51e
-
Filesize
667KB
MD57ca847e6522f074352eadc0b62eb3399
SHA184fadc794964373f4098a474c3829d5d1953e07a
SHA256584d631fa9f62873409cc51777fbbe8df673887a8af0a092d4b0523da512e577
SHA5126c0e8a38a394309fcbb66d9da372cd35114b5a0aea397324f629fbb18866eaa934119483d5048dcb487377cd2d47d85ee23611aae84947a025b494a53bfcd20a
-
Filesize
2.3MB
MD554873041460fa7a27cfb5008239e11f9
SHA1c4fd1fa77a5e079f19cfaed945a83b65bc55431a
SHA2563b946870b669af9837a27204e72ebe8e42a3503a6ee4da3822672ff54bdad0c5
SHA51278fc2b84dc42e86bec9e802f6a96a3507802a033b54429ac0d2c65b726edfb0dc3ee1cf5c57dde455a5ffa36b49ebf9c1ff4335b5b7fab70b9609d903e59ca8a
-
Filesize
48KB
MD5a69385279536210958fb9c86cab229d6
SHA16ecb118cfb9b8ef42c79aa0d795c3d8b51f0341d
SHA2563955fc60d3b7c4a1badd831fde82269261407cf9d459c65b429e8abc769adeed
SHA512f1cf5b1ec22416e645c0dfc128c25166585e300a8db2de6ec51e0689e26e54831dcf2b26a03115423b9b71f1b109389a3e14173fe0a8bbebc2547f9ca33cd412
-
Filesize
118KB
MD5509fd060516d1971da8d0c2173748358
SHA167ccd63914312b1f491467bec42232916df109c7
SHA25643c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442
SHA512de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6
-
Filesize
405KB
MD5b6a2892c151ccd59d0b4c4c1777daac5
SHA1b34791b4db3956620dffb2e11e1fa160e2d20889
SHA2560c6e681a8091ba888e58473cceeae590c88a405bb30dcb344f940acf27290ce8
SHA512e8fc5c96d155bf9657c07d861e2597d681a23ce1d46ec3e779251126e989be41c883e0545e80b5291c96a3ead4eb6c2affe8b419abb506bc5e5376fe2fa212ae
-
Filesize
3KB
MD5f9756c261aa978c787302debff8f142a
SHA181b5b130741d5df2feccd67bb6edb1a9d08d48aa
SHA256a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319
SHA51220ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3
-
Filesize
71KB
MD5a2d6e2201be02973328038457aa64bba
SHA1684338bd758a92449d43c49a0aa539f323760215
SHA256f4e76abf0df055fae97863708412773b51197bae0ddd9692a9509e824d847df0
SHA51221002b3b3cd01beb923692addaef4e5d0fcbee972154e25bea2c4ece591185bf8e6221959fbcc772fc7e7f73dce18747909dcd9c04423a0ade70f6cfba72f135
-
Filesize
3KB
MD5331691375e3eb33ed12214c26797c23f
SHA13719bd8407dcc0a40f5d9eedc927eea80d0ef9e4
SHA2562ffd12fcc5e8c87af2f14605602e8602dcfa2d5638ad6bd690e0a1014fe2c772
SHA512e002ce601db8cb4a3ad3ce02812752f5c547739df2aa2501de248899775a939a7a6652a3695a0a56b6cc3b2d599230f3278f1d8fad19066be30ee0ddedc2d7ff
-
Filesize
80B
MD58011052ff701a0c4439ee18450e8e51d
SHA1a4893c2482522ccc3dee1c95ce644d8e1090d6ae
SHA256b901f0d5c24c25f334690f540b2a62d3e9c76226bdc183d45422e3237cc36051
SHA512c1712b4ea2fb42f38e76adaed613890f5e707a1ca495c87da506d423b3141a463fff034b1ae80824f6f8db776a9181f27d5f3f5a6cb94a1ab87ac0babe10d2c9
-
Filesize
1KB
MD5c43abe08aeb3d8f3e32aba10586905cc
SHA1e0e59a53b17200bfa2aa9f9a393ef433bd8f0c43
SHA256a5f5855449e32e8f5951e840175b1682a76e40af9e0109e81b33b8d289c66a83
SHA51261a7abf9c0af6b7f6fc0f77d472ed010e342018c5079826419b21eabba88f1d8aa93d30372b9b2d9c16eecc5f4f16ffd83f3db144b206746684cae9320bc8937
-
Filesize
5KB
MD5109b201717ab5ef9b5628a9f3efef36f
SHA198db1f0cc5f110438a02015b722778af84d50ea7
SHA25620e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319
SHA512174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
9KB
MD5ec9640b70e07141febbe2cd4cc42510f
SHA164a5e4b90e5fe62aa40e7ac9e16342ed066f0306
SHA256c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
SHA51247605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe
-
Filesize
24KB
MD52b7007ed0262ca02ef69d8990815cbeb
SHA12eabe4f755213666dbbbde024a5235ddde02b47f
SHA2560b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca
