68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e

Analysis

max time kernel
21s
max time network
28s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/05/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StartAllBack.v3.7.9.exe
Size

3.4MB
MD5

cfa05e668d40141a0962f8cd63834294
SHA1

8e62d099cd181f3bbe644e3d5a0a264ad2ecce92
SHA256

68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e
SHA512

59adde381e178a9f291d5585ac37a4c1789be2d20d94f81290ad66c471964b18369d6f9143caa9915ad27334ce518e39e39a331d174fecd282b4b949bbc85d6a
SSDEEP

98304:2k8H3G0wUxHEfGNH8iYAxvlD5H2Lz8sC2Wn66Hsn4O:2T6pGNH8yxN5Huz7CTO

Score

8^/10

discovery persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
1420	StartIsBackCfg.exe
3768	startscreen.exe
4804	StartScreen.exe

Loads dropped DLL 6 IoCs

pid	Process
4812	StartAllBack.v3.7.9.exe
4812	StartAllBack.v3.7.9.exe
4812	StartAllBack.v3.7.9.exe
4812	StartAllBack.v3.7.9.exe
5080	explorer.exe
4804	StartScreen.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\""	StartIsBackCfg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini	StartScreen.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\StartIsBack\Orbs\Shamrock.orb	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\Windows 7.orb	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Windows 7.msstyles	StartIsBackCfg.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\StartIsBack32.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\UpdateCheck.exe	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain10.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartScreen.exe	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack64.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack32.dll	StartIsBackCfg.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\Orbs	StartIsBackCfg.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\Styles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain8.msstyles	StartIsBackCfg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4564	schtasks.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4840	taskkill.exe
3872	taskkill.exe
2696	taskkill.exe
1528	taskkill.exe
4280	taskkill.exe
2744	taskkill.exe
4248	taskkill.exe
1364	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ = "StartIsBack Menu Pin"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ShellFolder\Attributes = "672137216"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ = "Settings Pages"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder\Attributes = "2684354560"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder\Attributes = "2684354560"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack32.dll"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast\ShowInSettings = "0"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ = "Start Menu Pin"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Extended	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\AppliesTo = "System.AppUserModel.RunFlags:=1 OR System.AppUserModel.RunFlags:=3"	StartIsBackCfg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\ = "Taskbar Pin"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Position = "Bottom"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\ImplementsVerbs = "startpin;startunpin"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.ApplicationName = "StartIsBack.Config"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ = "StartIsBack All Programs Folder"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Command	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open\Command\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ = "All Apps"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ShellFolder	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.Software.TasksFileUrl = "Internal"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ShellFolder	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\Command\DelegateExecute = "{A9249952-F4C6-4BCD-9B44-6A5BA9B5209E}"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\ChangeIcon\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files (x86)\\StartIsBack\\UpdateCheck.exe\""	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\System.ControlPanel.EnableInSafeMode = "3"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open\Command	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ShellFolder\Attributes = "0"	StartIsBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\SeparatorBefore = "1"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\MuiVerb = "@appresolver.dll,-8504"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df957}\TreatAs\ = "{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ = "Start menu"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ = "@twinui.dll,-10207"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Command	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\DefaultIcon\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe,0"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSILink\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}	StartIsBackCfg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeTakeOwnershipPrivilege	1420	StartIsBackCfg.exe
Token: SeTakeOwnershipPrivilege	1420	StartIsBackCfg.exe
Token: SeTakeOwnershipPrivilege	1420	StartIsBackCfg.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe
Token: SeShutdownPrivilege	5080	explorer.exe
Token: SeCreatePagefilePrivilege	5080	explorer.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1420	StartIsBackCfg.exe
1420	StartIsBackCfg.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
4804	StartScreen.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe
5080	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1420	4812	StartAllBack.v3.7.9.exe	73
PID 4812 wrote to memory of 1420	4812	StartAllBack.v3.7.9.exe	73
PID 4812 wrote to memory of 1420	4812	StartAllBack.v3.7.9.exe	73
PID 1420 wrote to memory of 3768	1420	StartIsBackCfg.exe	74
PID 1420 wrote to memory of 3768	1420	StartIsBackCfg.exe	74
PID 1420 wrote to memory of 3768	1420	StartIsBackCfg.exe	74
PID 1420 wrote to memory of 1364	1420	StartIsBackCfg.exe	75
PID 1420 wrote to memory of 1364	1420	StartIsBackCfg.exe	75
PID 1420 wrote to memory of 1364	1420	StartIsBackCfg.exe	75
PID 1420 wrote to memory of 4840	1420	StartIsBackCfg.exe	78
PID 1420 wrote to memory of 4840	1420	StartIsBackCfg.exe	78
PID 1420 wrote to memory of 4840	1420	StartIsBackCfg.exe	78
PID 1420 wrote to memory of 3872	1420	StartIsBackCfg.exe	80
PID 1420 wrote to memory of 3872	1420	StartIsBackCfg.exe	80
PID 1420 wrote to memory of 3872	1420	StartIsBackCfg.exe	80
PID 1420 wrote to memory of 2696	1420	StartIsBackCfg.exe	82
PID 1420 wrote to memory of 2696	1420	StartIsBackCfg.exe	82
PID 1420 wrote to memory of 2696	1420	StartIsBackCfg.exe	82
PID 1420 wrote to memory of 1528	1420	StartIsBackCfg.exe	84
PID 1420 wrote to memory of 1528	1420	StartIsBackCfg.exe	84
PID 1420 wrote to memory of 1528	1420	StartIsBackCfg.exe	84
PID 1420 wrote to memory of 4280	1420	StartIsBackCfg.exe	86
PID 1420 wrote to memory of 4280	1420	StartIsBackCfg.exe	86
PID 1420 wrote to memory of 4280	1420	StartIsBackCfg.exe	86
PID 1420 wrote to memory of 2744	1420	StartIsBackCfg.exe	88
PID 1420 wrote to memory of 2744	1420	StartIsBackCfg.exe	88
PID 1420 wrote to memory of 2744	1420	StartIsBackCfg.exe	88
PID 1420 wrote to memory of 4248	1420	StartIsBackCfg.exe	90
PID 1420 wrote to memory of 4248	1420	StartIsBackCfg.exe	90
PID 1420 wrote to memory of 4248	1420	StartIsBackCfg.exe	90
PID 1420 wrote to memory of 4564	1420	StartIsBackCfg.exe	92
PID 1420 wrote to memory of 4564	1420	StartIsBackCfg.exe	92
PID 1420 wrote to memory of 4564	1420	StartIsBackCfg.exe	92
PID 4812 wrote to memory of 5080	4812	StartAllBack.v3.7.9.exe	94
PID 4812 wrote to memory of 5080	4812	StartAllBack.v3.7.9.exe	94
PID 5080 wrote to memory of 4804	5080	explorer.exe	95
PID 5080 wrote to memory of 4804	5080	explorer.exe	95
PID 5080 wrote to memory of 4804	5080	explorer.exe	95

C:\Users\Admin\AppData\Local\Temp\StartAllBack.v3.7.9.exe
"C:\Users\Admin\AppData\Local\Temp\StartAllBack.v3.7.9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe
  "C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe" /install /elevated /silent
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\STARTISBACK\startscreen.exe
    startscreen.exe /stop
    3⤵
    - Executes dropped EXE
    PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM startscreen*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM explorer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\Admin\AppData\Local\Temp\sibtask.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4564
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Program Files (x86)\StartIsBack\StartScreen.exe
    "C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Suspicious use of FindShellTrayWindow
    PID:4804

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STARTISBACK\Orbs\Shamrock.orb

Filesize
295KB

MD5
ef55e07e1a2e47bb2bb749046cd150b2

SHA1
68362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa

SHA256
1a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5

SHA512
9c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp

Filesize
34KB

MD5
641328c75e6b117545211db22dafcaa0

SHA1
df4061f2b30b8cce58c2446cd6e8b86968ab46d0

SHA256
76a72c9ad77843b58223dd588483ac1265a31c15aaeb47ee66d1925de787644b

SHA512
54f265edd24cb26b4a550f65f8c3a70acc4fe2a95e03a43c14919d2b67f817162cdbd06aa9ccef86942f04a7e115b70b44164e83001f965cd7a627a06186d6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\Orbs\Windows 7.orb

Filesize
295KB

MD5
85328e698e8a74852b4061a683915dc8

SHA1
b898267f8574a34e6d605e541e5234c27dd53f5d

SHA256
e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275

SHA512
03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBack32.dll

Filesize
563KB

MD5
e4b19c388cf6d649053e7f018388b9a4

SHA1
9114450f106c4e274c335f4e5d41fe40380a9607

SHA256
6405b9ad8b1557381de5a3d51502f408891283ba22ad45166343261e703bee07

SHA512
f990a6765a3bc8c3d36d8617e68237d83cd2cca4e05a71389f4381e6ef8b2c96cc9f04a6f9db74a9af95f30bfd36c72394acff8718e8ab6d16581eafd68ab51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBack64.dll

Filesize
667KB

MD5
7ca847e6522f074352eadc0b62eb3399

SHA1
84fadc794964373f4098a474c3829d5d1953e07a

SHA256
584d631fa9f62873409cc51777fbbe8df673887a8af0a092d4b0523da512e577

SHA512
6c0e8a38a394309fcbb66d9da372cd35114b5a0aea397324f629fbb18866eaa934119483d5048dcb487377cd2d47d85ee23611aae84947a025b494a53bfcd20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\StartIsBackCfg.exe

Filesize
2.3MB

MD5
54873041460fa7a27cfb5008239e11f9

SHA1
c4fd1fa77a5e079f19cfaed945a83b65bc55431a

SHA256
3b946870b669af9837a27204e72ebe8e42a3503a6ee4da3822672ff54bdad0c5

SHA512
78fc2b84dc42e86bec9e802f6a96a3507802a033b54429ac0d2c65b726edfb0dc3ee1cf5c57dde455a5ffa36b49ebf9c1ff4335b5b7fab70b9609d903e59ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\Styles\Plain10.msstyles

Filesize
48KB

MD5
a69385279536210958fb9c86cab229d6

SHA1
6ecb118cfb9b8ef42c79aa0d795c3d8b51f0341d

SHA256
3955fc60d3b7c4a1badd831fde82269261407cf9d459c65b429e8abc769adeed

SHA512
f1cf5b1ec22416e645c0dfc128c25166585e300a8db2de6ec51e0689e26e54831dcf2b26a03115423b9b71f1b109389a3e14173fe0a8bbebc2547f9ca33cd412

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\Styles\Plain8.msstyles

Filesize
118KB

MD5
509fd060516d1971da8d0c2173748358

SHA1
67ccd63914312b1f491467bec42232916df109c7

SHA256
43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442

SHA512
de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\Styles\Windows 7.msstyles

Filesize
405KB

MD5
b6a2892c151ccd59d0b4c4c1777daac5

SHA1
b34791b4db3956620dffb2e11e1fa160e2d20889

SHA256
0c6e681a8091ba888e58473cceeae590c88a405bb30dcb344f940acf27290ce8

SHA512
e8fc5c96d155bf9657c07d861e2597d681a23ce1d46ec3e779251126e989be41c883e0545e80b5291c96a3ead4eb6c2affe8b419abb506bc5e5376fe2fa212ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\UpdateCheck.exe

Filesize
3KB

MD5
f9756c261aa978c787302debff8f142a

SHA1
81b5b130741d5df2feccd67bb6edb1a9d08d48aa

SHA256
a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319

SHA512
20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\STARTISBACK\startscreen.exe

Filesize
71KB

MD5
a2d6e2201be02973328038457aa64bba

SHA1
684338bd758a92449d43c49a0aa539f323760215

SHA256
f4e76abf0df055fae97863708412773b51197bae0ddd9692a9509e824d847df0

SHA512
21002b3b3cd01beb923692addaef4e5d0fcbee972154e25bea2c4ece591185bf8e6221959fbcc772fc7e7f73dce18747909dcd9c04423a0ade70f6cfba72f135

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibtask.xml

Filesize
3KB

MD5
331691375e3eb33ed12214c26797c23f

SHA1
3719bd8407dcc0a40f5d9eedc927eea80d0ef9e4

SHA256
2ffd12fcc5e8c87af2f14605602e8602dcfa2d5638ad6bd690e0a1014fe2c772

SHA512
e002ce601db8cb4a3ad3ce02812752f5c547739df2aa2501de248899775a939a7a6652a3695a0a56b6cc3b2d599230f3278f1d8fad19066be30ee0ddedc2d7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini

Filesize
80B

MD5
8011052ff701a0c4439ee18450e8e51d

SHA1
a4893c2482522ccc3dee1c95ce644d8e1090d6ae

SHA256
b901f0d5c24c25f334690f540b2a62d3e9c76226bdc183d45422e3237cc36051

SHA512
c1712b4ea2fb42f38e76adaed613890f5e707a1ca495c87da506d423b3141a463fff034b1ae80824f6f8db776a9181f27d5f3f5a6cb94a1ab87ac0babe10d2c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsnCD35.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnCD35.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsnCD35.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
\Users\Admin\AppData\Local\Temp\nsnCD35.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/1420-64-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/1420-31-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2164-99-0x000001DE44A00000-0x000001DE44B00000-memory.dmp

Filesize
1024KB

Download
memory/2164-98-0x000001DE44A00000-0x000001DE44B00000-memory.dmp

Filesize
1024KB

Download
memory/2164-103-0x000001DE45090000-0x000001DE450B0000-memory.dmp

Filesize
128KB

Download
memory/2164-127-0x000001DE452B0000-0x000001DE452D0000-memory.dmp

Filesize
128KB

Download
memory/5080-97-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads