80fcb4eaba78212dfc841e4410f7194dff9050e459533b34deebb9da00cc5241

Analysis

max time kernel
52s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
Size

1.7MB
MD5

e395626363c42bb14c20677df91f32c0
SHA1

101e71683324fa049fcbcb686693dbf84ed98aaf
SHA256

80fcb4eaba78212dfc841e4410f7194dff9050e459533b34deebb9da00cc5241
SHA512

2314ff2169d4f230a551b9fd2158c32e2a57771f33e37af614e6233c2eb91b1f0ca6c44b5f47ac18efdf069069f9f989e702c35f50fcef404c61c2a9961e8044
SSDEEP

49152:RAtNW31SNQdlVFGeoOtaqcEM7CURDlQuTPfJqL9IOgT6g:RALekImeV2pCUVl9TUrgT6g

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002326f-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4652	StartAllBackCfg.exe

Loads dropped DLL 12 IoCs

pid	Process
3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
4652	StartAllBackCfg.exe
972	explorer.exe
4772	Process not Found
3628	explorer.exe
2020	explorer.exe
3860	explorer.exe
2820	explorer.exe
1752	explorer.exe
4944	explorer.exe
3856	explorer.exe
1340	explorer.exe

Registers COM server for autorun 1 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ab0b37ec-56f6-4a0e-a8fd-7a8bf7c2da97}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117E3954-5034-453A-A18B-7B79493646E6}\InProcServer32	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da3306b1-2554-420b-8d0e-6bd29bb4d8ed}\LocalServer32\ = "\"C:\\Program Files\\StartAllBack\\UpdateCheck.exe\""	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ab0b37ec-56f6-4a0e-a8fd-7a8bf7c2da97}\InProcServer32	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ab0b37ec-56f6-4a0e-a8fd-7a8bf7c2da97}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117E3954-5034-453A-A18B-7B79493646E6}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackLoaderX64.dll"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117E3954-5034-453A-A18B-7B79493646E6}\InProcServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment"	StartAllBackCfg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002326f-1.dat	upx
behavioral2/memory/3812-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3812-248-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3812-260-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3812-426-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3812-720-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\e:	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\StartAllBack\StartAllBackLoaderX64.dll	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Orbs\clover.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.shareprivate.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.hideSelected.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.pastelink.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.SystemProperties.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.troubleshoot.svg	StartAllBackCfg.exe
File opened for modification	C:\Program Files\StartAllBack\StartAllBackX64.dll	StartAllBackCfg.exe
File opened for modification	C:\Program Files\StartAllBack\Ribbon\theme-dark	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.layout.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.pastelink.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.slideshow.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.troubleshoot.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Orbs\e1evenorb-pr.png	StartAllBackCfg.exe
File opened for modification	C:\Program Files\StartAllBack\Ribbon	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.removeproperties.svg	StartAllBackCfg.exe
File opened for modification	C:\Program Files\StartAllBack\Ribbon\theme-light	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.edit.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Orbs\w8logo.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\accessmedia.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.help.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\accessmedia.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.MultiVerb.cmd.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\DarkMagicX64.dll	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.MultiVerb.cmd.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.slideshow.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.folderoptions.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.MultiVerb.cmdPromptAsAdministrator.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.Computer.Manage.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.AddRemovePrograms.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.layout.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.AddRemovePrograms.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\UpdateCheck.exe	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\DarkMagicLoaderX86.exe	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.RibbonPermissionsDialog.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.CopyToMenu.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.help.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.openControlPanel.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\StartAllBackCfg.exe	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.MoveToMenu.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Orbs\Windows 7.orb	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\Windows.CopyToMenu.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.hideSelected.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\easyaccess.svg	StartAllBackCfg.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\StartAllBack\Orbs	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.folderoptions.svg	StartAllBackCfg.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.MoveToMenu.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.email.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.open.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.opencontrolpanel.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\DarkMagicLoaderX64.exe	StartAllBackCfg.exe
File opened for modification	C:\Program Files\StartAllBack\Styles	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.RibbonPermissionsDialog.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\DarkMagicX86.dll	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Styles\Windows 7.msstyles	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\easyaccess.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.MultiVerb.cmdPromptAsAdministrator.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\windows.removeproperties.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.shareprivate.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\StartAllBackX64.dll	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-dark\windows.SystemProperties.svg	StartAllBackCfg.exe
File created	C:\Program Files\StartAllBack\Ribbon\theme-light\Windows.Computer.Manage.svg	StartAllBackCfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1452	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4496	taskkill.exe
1976	taskkill.exe
3612	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast\DisplayName = "StartAllBack"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\ChangeIcon\MuiVerb = "@shell32.dll,-34608"	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117E3954-5034-453A-A18B-7B79493646E6}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackLoaderX64.dll"	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\MuiVerb = "@shell32.dll,-30329"	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\DefaultIcon\ = "C:\\Program Files\\StartAllBack\\StartAllBackCfg.exe,0"	StartAllBackCfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\SeparatorBefore = "1"	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ShellFolder\Attributes = "0"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}	StartAllBackCfg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\DefaultIcon	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ = "Settings Pages"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\ChangeIcon	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ = "StartIsBack All Programs Folder"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Extended	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{74382B63-6DC0-464B-A5D0-7EE86F5DA5AC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSILink\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\ShellFolder	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete\Command	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\Program Files\\StartAllBack\\StartAllBackX64.dll"	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}"	StartAllBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\shell\open\command	StartAllBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\StartIsBack.UpdateToast\IconBackgroundColor = "0"	StartAllBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117E3954-5034-453A-A18B-7B79493646E6}	StartAllBackCfg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
2032	tskill.exe
2032	tskill.exe
3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	4652	StartAllBackCfg.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	4652	StartAllBackCfg.exe
Token: SeDebugPrivilege	4652	StartAllBackCfg.exe
Token: SeDebugPrivilege	4652	StartAllBackCfg.exe
Token: SeTakeOwnershipPrivilege	4652	StartAllBackCfg.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	972	explorer.exe
Token: SeCreatePagefilePrivilege	972	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe
Token: SeCreatePagefilePrivilege	3628	explorer.exe
Token: SeShutdownPrivilege	3628	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4652	StartAllBackCfg.exe
4652	StartAllBackCfg.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
3860	explorer.exe
3860	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2528	StartMenuExperienceHost.exe
1564	StartMenuExperienceHost.exe
1708	SearchApp.exe
2636	StartMenuExperienceHost.exe
1344	SearchApp.exe
3724	StartMenuExperienceHost.exe
512	SearchApp.exe
4492	StartMenuExperienceHost.exe
4340	SearchApp.exe
5012	StartMenuExperienceHost.exe
960	SearchApp.exe
4176	StartMenuExperienceHost.exe
3896	SearchApp.exe
3520	StartMenuExperienceHost.exe
1016	SearchApp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4652	3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe	81
PID 3812 wrote to memory of 4652	3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe	81
PID 4652 wrote to memory of 2500	4652	StartAllBackCfg.exe	82
PID 4652 wrote to memory of 2500	4652	StartAllBackCfg.exe	82
PID 4652 wrote to memory of 4496	4652	StartAllBackCfg.exe	84
PID 4652 wrote to memory of 4496	4652	StartAllBackCfg.exe	84
PID 4652 wrote to memory of 1976	4652	StartAllBackCfg.exe	85
PID 4652 wrote to memory of 1976	4652	StartAllBackCfg.exe	85
PID 4652 wrote to memory of 2032	4652	StartAllBackCfg.exe	89
PID 4652 wrote to memory of 2032	4652	StartAllBackCfg.exe	89
PID 4652 wrote to memory of 3612	4652	StartAllBackCfg.exe	91
PID 4652 wrote to memory of 3612	4652	StartAllBackCfg.exe	91
PID 4652 wrote to memory of 1452	4652	StartAllBackCfg.exe	93
PID 4652 wrote to memory of 1452	4652	StartAllBackCfg.exe	93
PID 3812 wrote to memory of 972	3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe	95
PID 3812 wrote to memory of 972	3812	e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e395626363c42bb14c20677df91f32c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\Start\StartAllBackCfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Start\StartAllBackCfg.exe" /install /elevated /silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks.exe /Delete /TN "\StartIsBack health check" /F
    3⤵
    PID:2500
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /F /IM prevhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\SYSTEM32\tskill.exe
    tskill.exe explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2032
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks.exe /Create /TN "\StartAllBack Update" /XML "C:\Users\Admin\AppData\Local\Temp\sabtask.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1452
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Loads dropped DLL
PID:1340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9WOT0LPI\microsoft.windows[1].xml

Filesize
96B

MD5
589e139869250cac3aaf7cb946d415ab

SHA1
71b4b736779c2716ee9ce5b2892cbc4edec40ee8

SHA256
60f8214fb3bed025a0239c2d15501db6f669215d8d09371a285568ed5c5bad26

SHA512
0877e0c5a806bffe678a27fbef67b128723f886bf0ea7a8fe82d4c57de61a78efdb36604c0296ab643e4674caff3d0def6fc4b3c9efbd27332fa5729414a2632

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133597583760495088.txt

Filesize
75KB

MD5
79ea60e4feeffe4483ba2d0ea61852fb

SHA1
7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

SHA256
1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

SHA512
4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\DarkMagicLoaderX64.exe

Filesize
14KB

MD5
f10548e2ab140eea3ffbf25c3597e8ef

SHA1
9453dc066f224dfa223ebd258609f64c2e097133

SHA256
226aed60d979d7d935438028e1a1bd9b89c5a0e3fdf600c6b929bc8e0152c6cf

SHA512
e14a8ccfb3cb8f56fbd012231316017547eb31a74ad3c2da7db88e0513e05ff33179f92f16fa05764664354547f70f76d3264fd16e4c848e43b047cbe6a1538d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\DarkMagicLoaderX86.exe

Filesize
14KB

MD5
15edc6e6cb0ba1d65fecccbfd3ea2bf7

SHA1
6b25f36aca10a23ce534d1776a5d8bed7039a727

SHA256
1bd4b0fb35dcc337b54cd859087f4d84178c19361667624e0a2df196b77ef556

SHA512
23891b7c5bd483d1e14a9a5d3144d47497d8ccc2255aae879ff0396b5117e73b568e72f274c8d39412937cec1ea457e2acf411193d2b10de959741bbeada5ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\DarkMagicX64.dll

Filesize
102KB

MD5
33dff2973cc5f7c10e0dcd771921e482

SHA1
746eb9dd51b452922ca25531d2b2e3ba346419f2

SHA256
0c3978251f3248b6c1be851ce0755d33de13b61aee296f9dae19a127336bec06

SHA512
5a0b6827cea35555b7535cd37e05df4fe988c3018d860b3e3e0312ab532a14efb85d981b07ab107ad19142c59e4797964ba995ac055c7ff6d7185783c8c0ac94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\DarkMagicX86.dll

Filesize
85KB

MD5
925844f0d6dbe57a793a5fb5f825a9b5

SHA1
5cf3e6da91485435d2b24ba03a1903e7ebd3c4f2

SHA256
1c98a3ce805ec519193acf85cc9f14dfcf3a7c99bbb1cfc6a779ae5f3f9613cd

SHA512
29227129668956c6292671469000dc561f9d7d60ae4a7cb6b2fc1cfe41660cb7aa3e94fbef7bdd8b354be57bd0febfbb16e616b83a99dd6370e52eb1673fefb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Orbs\Windows 7.orb

Filesize
295KB

MD5
85328e698e8a74852b4061a683915dc8

SHA1
b898267f8574a34e6d605e541e5234c27dd53f5d

SHA256
e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275

SHA512
03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Orbs\clover.svg

Filesize
1KB

MD5
47b9be5d069d6873cc9bfc3fc7c3b9b2

SHA1
481a3689dc871d2286ae51412439d877ca5a5201

SHA256
1e0e1ea6149fffe9a6d09a77b404fe17db7d455d1036faebdc168b1ce5869282

SHA512
3c8e67f8ff198dc97c76acb8e910e130455ad5bb596a805a08a25ed8fdd78ac8820d97d9cc82a72096cc5d4914f1eff7afb1b03405a8a87688d54aaecfd89b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Orbs\e1evenorb-pr.png

Filesize
167KB

MD5
e5ecad423623a327b850919bd8a41bd4

SHA1
a25e38296db28d28d4e50042c84600b35d091f0a

SHA256
6e451fe2d887698c4290b830aec1a4a196de22eb3bcf6734b567521bf2d6edf2

SHA512
ef8252abd127f5f1179b828a1d156b2ee4b6781e97a4afa3685418b2e4a94061554e5d23cee3713df18b32337dd2de0fe55841501210f8dfeff0086966bd77a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Orbs\w8logo.svg

Filesize
713B

MD5
f13738b41b7a2042c53dd228601639e0

SHA1
fa746d221f52d39cd3eb9aecfd2911a2f1b47cbe

SHA256
c75684410793a98a051a1cf95395709c73e9589037d47be3f6277b4ac355b7fb

SHA512
1d890663a981ecb4794abfb22575bb54f74fea76123d6c9969281e36ef8864c33f77e41986481c386c867a3c6c1a4bb826d20257576d0fbabd1de6264f350291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.AddRemovePrograms.svg

Filesize
3KB

MD5
e0f7ef3d2f36317931a42dddd494c9c2

SHA1
c6b916609b96d81bbf803a3eaeed1b088b69109b

SHA256
f51c5b5b68f6bc5104188a93f145ca2d6e57d94636fda34e41599bae0e5ec682

SHA512
d7722dc17345fd4245834f247249b8f9e7595728ea3c176d7349d39d90b8b57df47f2c2eb430366cc1d38df04f2567783976d3ea424bf013ea9e296679f23344

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.Computer.Manage.svg

Filesize
4KB

MD5
107fe8d57a6d6821321648484ea41333

SHA1
98df047cc084171b3485bd2ce8abe287f9487f55

SHA256
11b72939689a479cbda2bf96a64774d2ac605c7054cf23deba0663ed4dc11d6c

SHA512
9de0802330eaca6ae4849c9472decbc97af7dacdd91665f55b43c54c7981e9afa362365da5ae49e30b0a182d5d86d6f863d94e37b8fb92756de857dfdd15b4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.CopyToMenu.svg

Filesize
2KB

MD5
719b1c337f9362d872c788c1b8a443f2

SHA1
bf435a2671443a3aa54342219ec7a8413f3fc638

SHA256
0d4efb27e6c7b774206155dd6abddd2cc85635a467c869c7675da196869a5e2b

SHA512
b60a9d72d669a41e961849c7d5acd02b03fe043b551c97ba2661d94a39644c3871a137b6bc62c6e8b45919861adbc3e220f54131e4e877ed30ba82d5e998dabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.MoveToMenu.svg

Filesize
858B

MD5
7beacb39451ca90854d81dc79b25f579

SHA1
2fbe3c7c118d0799ced08f530274d04c4530ea99

SHA256
40f70db8f7814acf922e25411f82f9d9b9420d30e34f5c6199b8488e260ca13f

SHA512
c66850bf3d41bccdf49859244dd38797e57cc7af8acf774d578f799a769ba7296108252dee262bde7d8268ffd90c2985392a7544f9087e551b519e8ca2293fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.MultiVerb.cmd.svg

Filesize
4KB

MD5
836de6af228e5d47f4a5eedbe79d9172

SHA1
866f1d4825c6e8fc93f2e4284850bd054dfc39cd

SHA256
e642c6fa1611e1e937a31bce4b61d1951d6783e3ff633729f86096b67cfe6228

SHA512
b022f7ec8acd5c80ce03fcb58ab3d551b2760f93b9bb8770e5f034416738cc87e3c633527939fec584deef38dc25db203844f8cd76856bd24a90694a0ce2edda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.MultiVerb.cmdPromptAsAdministrator.svg

Filesize
2KB

MD5
6c377e6d5bd170f014b2352c0ab7421a

SHA1
f96a1db407f92341dd47ebe432de32913de4a45e

SHA256
8e4de3dfc33b3b3edc2d3b37e95669c9794d98cefefdc50bb6ba02f0937d606c

SHA512
8218d88c6cbf6c3277f36556f54c4b533502b135c58bb24a2efbcabc2125bc39dc38e51cf130b320b8dc8edc08d04aeb4cedb9472966e907981f19adfa3589ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.RibbonPermissionsDialog.svg

Filesize
2KB

MD5
f0e4bf42cb74c5dd771f24c743f868e0

SHA1
65bbc97217ca22ea7228b25b9848d3919b3a502a

SHA256
2b9a7c378e0160ac8e5843f1ced91021802b677776dcf9ffa71524adbefa1800

SHA512
d2e4143b52fcac95423966ca78b4bc3c9634eac01f6ea17125125b47d77fb4e68c3c3458fd48c33b10ed9024b18a4c1c66cc466592e47832403f1d20828409d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\Windows.shareprivate.svg

Filesize
3KB

MD5
f330543683bd4ae04f346f54507d22e3

SHA1
98fe7d1542a3ebbaaa9c24238fc1f48cadd046df

SHA256
ebfceadfeac8434c464713ec411e1b9059a743ef0e7b676adaba78b005bb877e

SHA512
4752ca2f4b32b8db793cb746a67a918eb52f46490246179dfccf441a1cb5ae23b95929e766a9ba7200b0c84ef6361051a6efa461ba1175f448126c521fdec5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\accessmedia.svg

Filesize
634B

MD5
87549bfacb19ac7eea47dfdddca9ea80

SHA1
bec2cd7951d75ef20f9bf8379f61e8121eca8775

SHA256
a14b44b414971fae445df013a5de357ff625e4a509bfead3b0c01a74844aa515

SHA512
c0f36410598e26a9783dec3b1fed11fa3dfa563bef210385ec213dc1f49d53637d5fb6ff4405c852bcd150e951b162a1d856151aa2512c15b9ee68ca43d42304

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\easyaccess.svg

Filesize
2KB

MD5
b0dbcbb94384185aa810405152782157

SHA1
2448bec63e385fd475466178a17b68167ec30398

SHA256
6cebc92632e26a4fea23d3e95e3590912f0037f2500ebe576e6d0af54abd4c79

SHA512
c0fff2be0a62c0c154e071a07aa061ad502fe2916939ebd2fcf64de62d368782c99fac2869e4c5e4c904d2773251d23e1f863e7a4fb1d39e07ebd45f9794f618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.SystemProperties.svg

Filesize
3KB

MD5
14d22222ec2d2f20fba16893756ea5d4

SHA1
b642b876676c1342c6b67ffdb98896a6b02df2a3

SHA256
e99475d76b50f34ec3b1e4346677237d6737fa78bb572b9b7c7fb6837d8a0662

SHA512
dac7b0d0c64903fcf1c775e89035709af858fa04667ff046820f5cd7b30658b173c4906fcfc0ff85310d98fcde717fd55f51a92b03c96363dc99a3996b04a14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.folderoptions.svg

Filesize
1019B

MD5
fb052ee6b0d4eb3a0ac028075e212e49

SHA1
19c6c4b06055ae70c9a35c3c0e4fc51df18a9fcf

SHA256
3615ad11593e0fa41c9fcebe32b9e96865cf13a27640f87802aa3c33730a05eb

SHA512
c2eea0be65b7b1f325991f671523a34c8383f10a049726ff2b52b270697f9bb29ea1936590dc94e84b02b39449d0a2fbd31104d4670324216248cbdb6116cc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.help.svg

Filesize
3KB

MD5
613988bed41860a9cd8716e840f1b43a

SHA1
805710d924cd714e84e29b1ad8b19f8166708502

SHA256
2aed30dcca71f8d120cffc6b01c318bf1898e62615045fea5e33e1552f289e93

SHA512
ead70f060366fd23309939e6aff86e394d3ae9517e22147bd1f57c6981004c2b2c01a6624eafd6a80454c1233f85b4d02de7b3eb5618c3bd743540360d931e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.hideSelected.svg

Filesize
1KB

MD5
aea15430def6cfda52866c7acce670cb

SHA1
6fb41dc83d8eb9f14c42bfdc734f22aaadf57a51

SHA256
931320e31e415b420aa1985d2b7305d4f3b1d2f1d8ffddb18c01690aa84f3d20

SHA512
d97bd0f7fb7ed1e40ab550e9103eace9139de44a0c4bffe7745b1f99edfd799f07379ef19889cd4a838bdeea99c726ea977539a4de0246eed36fa00c403ff48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.layout.svg

Filesize
680B

MD5
2105ff4f8f0fefefa00b5ddd93ed9d79

SHA1
45f452e56c9aebda14d057e1f1797e20887ef5df

SHA256
f39d73c1cd814615aa74ce9fc04a4b7f4c83156b2173875134eaa3f60fb70c7e

SHA512
fbce0a5606cdeca22f3c53de7b966a9a00cc1ff40bb5af59d25eea7870a2fec140908c086b91760d16674a6d65c90c47d392dd7319ab507b7ea70a5a437bf89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.open.svg

Filesize
2KB

MD5
536711aa27aaf290c2410dcda8e2b591

SHA1
c1a681b60f9c58379aa36854081154819e252fdf

SHA256
412a37d3e1856910f22c2c35071eae274e3d83047e7a33339f31f501cc5579b2

SHA512
b45f5b5cc062e961d9152ad76be81b6c0c2d95bde7619ac231cc583c064db2454ca9b4a642778a517021a09563ae004428007d52ee89a0cd9ae5a736f2c3f3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.opencontrolpanel.svg

Filesize
1KB

MD5
643dbb3b6ee4756762b5f54f655e39c0

SHA1
ea7ee9230092f5fdb7906128e553b70dc5c64fc3

SHA256
bd0c11262c33d08d2f3030d256ae7c16fad62d0050dfc568e9057871db3b5b5a

SHA512
b63981deff805fbc128d6d6a8be6a53d70fd80ba6dd4c017d6e8866202431c0b3968d1cf3326c5336deeef89e1f7a60251d9874293e7a975cbc340e643f367c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.pastelink.svg

Filesize
726B

MD5
9529c8cf62cb8d41191701e0fae024bb

SHA1
c526c95ee6a643414789b56acb99de703db8c8ea

SHA256
2e6c18304704c1ae4885abfe8b002c429a4ca7676f0a0cf8e168950d63f7a218

SHA512
7c5061848719d99eebfd5ddef0152c1d591033c3bf1a9162fa2984ffe030d29fec0f0957f3b1d4bbb3d5b8227f8774f74e4832b1d545cfecc09c86ad1eab9cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.removeproperties.svg

Filesize
1KB

MD5
3f8ca186cb7ddd7894eb556e4b5fb44d

SHA1
e9f8be66944d1476e672d07e2e807579b2fd1563

SHA256
a6a11b85c515027090396db56e7f41036861f3fc00f518e23885566d629b44b5

SHA512
bbefdfeef896ab0878359387584cb7908fcce27726831acaad975d867d1c5b9a70d67ec1f6dbc03ec0fe7955aae95d1ad251e57730ba9598441e18d366452841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.slideshow.svg

Filesize
4KB

MD5
1ac51ba1373596a8d1f06bc083f4a399

SHA1
8ac25f224311ce855dd56614730da461d6bac52c

SHA256
d384130da33fa213933956306d7ee8bb8377f8dfd3bc4aee588fb453d2b34fd5

SHA512
0a9031ccf4b29444ef460f4df2b63b64bd880b5d79c32343c63a04dbf31af09b7547210bc975bc3c5d2389cec2ba20684205e1465753adfa9733912d97bc5bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-dark\windows.troubleshoot.svg

Filesize
617B

MD5
cddcc9583650cc486eb4cdef5a9b5b98

SHA1
c37f053ffb211a8889639e52a9ac0767c1b8058a

SHA256
f720372e65c2882f142712338aaeded555129dd4853dd2ccd432613d74707616

SHA512
abfb7d54dffef751559ce4d3ba7a79c9ac0cf023147c6ea8624df4953090aef489968cebab0c5c633b1a095205cd5e2671a609b2914eb03685ffc3724ee17404

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.AddRemovePrograms.svg

Filesize
3KB

MD5
80ea667b88a6337c38b2177f2ae84423

SHA1
89f24a1562d96eea28d8d3ea821042f9d177641d

SHA256
c118dfe2cca3abbe108b9ca2c664305f79e7b348cb142f504e826d04381bf143

SHA512
431d2ebc64e14c291d80d4bc8faff585e4337fb4f2318d6c775b6296967679ffa054dfb7fa41f4586392e9921d64c6dd76b45d6c6dae16255a4005e091e7e3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.Computer.Manage.svg

Filesize
5KB

MD5
8987c299c5fbac9f68136bb012e1eb4b

SHA1
6878a2a158a7be4e3bfa899763c42a057782d4fb

SHA256
24ab22832e298877665641631c70ded68e5f9fc750d5e15f59b65cce06d8b4b2

SHA512
1564e7e74bbd3dc94dcb51c4cda29718e5caab86bf877084b72338a712f762eb4525424a7acdc0e866b775157064fb6025df2c2276daf83fe12b2aad2b348af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.CopyToMenu.svg

Filesize
2KB

MD5
fbc42d74506b01301daaa4ed713e59c3

SHA1
6cbfcb87d0447c00680c9710dde8d8ff2cd77216

SHA256
9d81e9391ee6e6515a573dce662d0d50d4938f81ff640051873667c93c6ac469

SHA512
146028277f96039af0c19154ec44f402c560896bbc44cbf9cdac3c4d8fbc8c153169f38d5b8cfcab47144095b688e41345528be049f04621d2673cc0532f13c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.MoveToMenu.svg

Filesize
1020B

MD5
64a35fc57fb167888db1fc08ae4517cb

SHA1
ef0677fdfdc73684dee13fd10cc37281d5a1654f

SHA256
bf8458615d4d28a96091627aafc0cf6853aaaf93e87bda52e3edc62baff9c5f9

SHA512
a7aee19efd2c8b019cfb051d88ae458e0fdf0220ce03f634d55e54dec53b8df4d8d255749f3dd06621b9d9b1ac8845f357145810977e542d6d5aded4e33ee7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.MultiVerb.cmd.svg

Filesize
4KB

MD5
950e13db1fc393ea7444f5139e0698c2

SHA1
456dcc1c7a494b4fa0aa7d17029cd11ba235926e

SHA256
118e3fd996a8eaa8406d0e98fb76e8224b23e32210543993c71da993e07c368f

SHA512
975c7c4c104e4b7935a5e4b7a0bae5da5cc96e02627b6db4565bf8e434d7ea146447a1171538e286886ee83b902ed038a920790dd9284410df69c23e4bfca8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.MultiVerb.cmdPromptAsAdministrator.svg

Filesize
2KB

MD5
82c31602416e4be22531b6daa5339ef5

SHA1
b066f34a2df875b62c7ae81d425d2c92db0cceed

SHA256
48ee93c6978fb0bf08e2de11ffccb52e190d9325f7889c9c21442b97167fef1e

SHA512
0683bc5044628cd49ee69fff640b336f60165b387a44d9d4f53552362fd4374c4bb77560b178cb4a279f35f8edea6d479a7a6e839a32cbe7cd89d2aea64c7667

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.RibbonPermissionsDialog.svg

Filesize
2KB

MD5
e04891b2f5d2a3f7d820874069efbef0

SHA1
6a0fd5094b970112bbc059bdfff30e98e38a630b

SHA256
1fb69fbf893a9c105ef34a722e7bf2bf52cd152f1f5c16d10a5551f9cc3bcfae

SHA512
c06c846faca627d3eb9e28fe2d54c34785139cf8db3e1bbc0c5f600fbe0693dac9b1909e2f7cb5821d2eca60810bdc53ac287f174f8a86893093df217cceb40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\Windows.shareprivate.svg

Filesize
3KB

MD5
71f2d59747a3f434e644dcc2d9ae5cf8

SHA1
8e355281310095907caddb5505dde9493845991c

SHA256
c3537a0c281a6332ac2a7eb35285b3bc7ec9bda291442d482b98a45b01eed7c7

SHA512
016b1fc3c52dc1e83d26daf3d8a2339843291d895f0225331397c80c00c779bbd8284f53cf1d4899d16068b1eeade8426bca66ad2de5ede5495c17d5dae08cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\accessmedia.svg

Filesize
868B

MD5
c5e59d922cc9a14408ee01a473de2051

SHA1
6eaf109c422b2ebfc632f5c70e66b91f90d53f7c

SHA256
dc2ab9af2b1cd24b11acd4f0ca0e55cbb65d2eac5228a411c2698d0827ffad7c

SHA512
9efd45be57ba0727058fb8439794ec62a0b0728a886aafd8069fa8bfa0b23fcc2c011838e29a8268872508875ff1d6ec874cec6b991ac09167784c3b6495681f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\easyaccess.svg

Filesize
2KB

MD5
bd71ae5561063094ecdbb18d0f38d474

SHA1
e2eee62bfd715d2bb807ff1daf354f2954f93efc

SHA256
3a58ece9da8a88a997fb95b0ed8d81f223218f2e089192b451df8a451fcc9800

SHA512
f9c39d0a4c438402ae71eba7fce031db76c9616ec9b88592fc6f7d80b73b57d6333f567844ea13209afa662e1f879812cb0dfd0a40772d9a94be210c5cedff29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.SystemProperties.svg

Filesize
4KB

MD5
41f4d4bff29ad862ba7b8c8ba9dfa2ec

SHA1
f1290462632aad2a3c32b005c8a9699e6647f778

SHA256
1808bf21c47237f8bb8cde2d014d79281cc41ab8bbffefd929b4d64fdecc2204

SHA512
e6eca2533f02042fb294b2477c513577759bc5403b8c02a82258143e62a59e06e9dcb68cf1a67f77280abffc4ce29e4bf2e3711cb1574ed987f22b78e4adcd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.edit.svg

Filesize
1KB

MD5
14c11b2296c00db335bbd269c13d6c88

SHA1
331b1f70491c6a271eed972a43a256c025b7ca1b

SHA256
1e69d480542ecf89010e0947c100605423ec60a92bd87702c72513952065b3b8

SHA512
7bbaa9985676b0b7898ef889107ef9294dbc1bb3ac7dc0211c13b481b2eba449233f0bc54bc969fd65d8533bee15113570f470df4ee77b85a41cb98cc2b91977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.email.svg

Filesize
853B

MD5
e257e78118c790a46596520e85e550ce

SHA1
9d38ae7247cabab3d34b10f49589bb73fc4dc51c

SHA256
3568a00a810d5984b8c71df89157bed7a34466ae72ac743e2020e8c29fe3df57

SHA512
8de7dc8f3c2bc4a9b725c1c2a45c8d6a5b4f92c46798ed52592b35c7701c3391aa6416f447f2887cc15795f389abcefea2014311d7d94b255a3ed1c6eb2e9b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.folderoptions.svg

Filesize
1KB

MD5
b06dadd8a262cb69caa45a0fc1d2e8e1

SHA1
e9807e96344a0961115eaf759bb718d8bacd6497

SHA256
1b0fbca9b1dad3bd78494ef75632d54f977e22c6835788d00e179af2bc23bafd

SHA512
be626b15478772bc67817034e8133834949da0e91796c1d2f51ef0f830284f76b69eda8137104e28d426b9864e2ded0cef689572d5eceea4f58c56124c323525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.help.svg

Filesize
3KB

MD5
d2eaed105868254a169000bc4f8e01b0

SHA1
3bf8727922d9362f99ae1513e1337fdb34378d6b

SHA256
5cff4abe766fa2c18a0e69d5be21388ddbd90e47ff7316090ba2279ccdf19b6f

SHA512
5cee6dcda5e731d179d5a1194e194047440bdd560850698e165c30ddb7bf6f18827ec815b3df1bd18b0d5727c22a96c05fa5af53798c62f32715b6a78e9a4bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.hideSelected.svg

Filesize
1KB

MD5
969f2a95d9f8f53871ec2915b7f899e4

SHA1
d70d953d5b162503877917d7c388b83cd7533a17

SHA256
5cb0408302a93efe9dc8cab07f2f6d450945026f844a5ce7728d2e830d0eeae1

SHA512
c1cd140e670609b7247605f0dadffe3bd7922403d97fde3335fdbbe60195a4a66530a96b39d8842f469a30d30c5f6e6bce74dd70221a36c1d8544c2bffa4f7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.layout.svg

Filesize
799B

MD5
12dba44c3a22a457c5b75f19a0526100

SHA1
617f700da8af1239c27291176a8316619006a43c

SHA256
9b2c371947eec1f36cf20096e33a32aec971a1148646451863aee8a868df6dab

SHA512
7c5614de250201375a3f52981a2abc570b2a133880cd40d77ee7d0f50d938ecc3b94466c086f0b4cea0da8c78e9cffe1b48a6a42a8d02933474cf6d2c607f097

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.open.svg

Filesize
3KB

MD5
d88f7146f06864129fcee20421c9cad6

SHA1
f7c359d52db709fd691b2de3594dfcc2c9b5f133

SHA256
644d576f3f86307b5f9448b88dce9f53e4fd40e14fd00317c37efc70f8a6c3b5

SHA512
73b055d1c273ed4410f8785a9a4e221992a3db860eb3fb684ae4894ddc25c1d1c3df36a690633f57cc20ae1db19acc1e7b08181839b341deb1c7b48ebbacbff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.openControlPanel.svg

Filesize
2KB

MD5
a7a6d780d544651856596d0a038225f5

SHA1
4a1275178521d9949631cd171826298591a07b9e

SHA256
942cf1dbbc4b72975e512dca10160d0e0c14bbab067b3a2c50bf9d33b8e22fd1

SHA512
8f466aa606c743e114c77d8409725cd3f4b831fbc72278959712104c4b7aff140a22d0ae184ac39bf8f3e0b53bb1bcb649fa8fca867c9e1212b1f613ab0afde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.pastelink.svg

Filesize
856B

MD5
c166ab708a47bcfd4c9a4db9d49b116c

SHA1
672873c5f1ae795ad6d6cf79d48916bfefacec13

SHA256
7508b21509f19d080ca825c15d3ef4314dc35920f8aff7ffe4ea896f3e384872

SHA512
55ec0cf124820386e411868a7ff590cfdd238cb1fb93555943de0587669ef02eb128487ae58c3151b629c8fb82ad1bbebd36a8de592a52e3d083c6b28438c618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.removeproperties.svg

Filesize
2KB

MD5
aa7a1f8653ca76f4aa3a6ee5e578a30f

SHA1
24da64a7c889016fc62721a37650e7c890f8540e

SHA256
7f7424bc7c1580d0c6fa842fc0c08ad9a4aad1f2100bd314170a81f242a13e2d

SHA512
d52b1c0f26754910cf86f1367c79e780a7baf713a2037d3fd4556747c595f5d7e31dca3f04165a7bf7d09d903e06e356e004974ec3bc555ef87b6f4fa8b7afc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.slideshow.svg

Filesize
5KB

MD5
69b0feba9de26f8a460c519f4699951c

SHA1
ea7bf9dc8127cfae43050eda38871ce377074c89

SHA256
b24b24932cc2156d51f7ee5365656f83b358d894860ba921eb353f1664dc22fd

SHA512
26ce95a2dc56a0348b44359b9bf191290373e4837f0b152012c7a8c9ce909aad16f1d3e98ef950ac9c3a1761c7ad6a352ef7591440d8c7e250c78e5fd7ac88bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Ribbon\theme-light\windows.troubleshoot.svg

Filesize
736B

MD5
093bbd8b65d76465b2c034441f0ac188

SHA1
acd1e990254e61df8f80749575ad5586528419ff

SHA256
d019f486cc06d5083dda9ac166d538357471ba4076ff0a332ad5a9c048947513

SHA512
8029290faeac2bb3ba70c5cc6e9f5c1cbeddf623e5506b33f5d812dcac6fa994bb9d9634a0867e3a389e53fc718f995aa1c54b714536644114105ca580325c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\StartAllBackCfg.exe

Filesize
3.2MB

MD5
f694716309e0116eaad74fe6f802a3c7

SHA1
d680f472b17e2e490859972f7ad4987f4bdd4e97

SHA256
04c559dd407c0c07215bdebe89814c31ba420d224bee2ab6830ba169c6d9d5e3

SHA512
58e3116e5146d9d1e3e4e8ea60301583fbbba3702b82b7c5cd3d5d6cc237b7366b9f04bb5bfe8ae3bdb4076165159e798aac5e1bf9d4a02a01a2dd1aacde9dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\StartAllBackLoaderX64.dll

Filesize
15KB

MD5
02745717ed9538dc59401864c21a3171

SHA1
3de54b3906038310ef82a1b2687114e0ce48b543

SHA256
927c97dc5a20bd7c72236248f21deb8513ee8a09c493e8f1a9d5374948114fda

SHA512
7dcd0af8267a29c05d8b99353058957fc67ca145691f7eb12564c757c659e8fcb94b6d000b45663546e4c7b14f1fd5775bf8f4eedcdbedd7e67226cc0e3b1a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\StartAllBackX64.dll

Filesize
790KB

MD5
79397af4593f4b6b9cc1d6ce30a4078d

SHA1
14d531076f622ed80666b97d4ff7d731df75fb64

SHA256
7f80ecfd976a23fdfb85f9e7401ba690b3f745ea51a6383d4b1cd10815819ffc

SHA512
88c9c76f4623320ef5e44778b152038637176a2a6a7d1a9f639ded1d09dec52ce36c7a0bd09a1707a190c09dffd347505b7b46b2ab083685092a5ecc2652790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Styles\Plain8.msstyles

Filesize
118KB

MD5
509fd060516d1971da8d0c2173748358

SHA1
67ccd63914312b1f491467bec42232916df109c7

SHA256
43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442

SHA512
de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\Styles\Windows 7.msstyles

Filesize
377KB

MD5
5bcd1f14702ed1c521a13cec168770c7

SHA1
60d9b2740ae59e32cb843ae9171db90d24212884

SHA256
5d7d0f58359bc0017da66b3b893515435add2908f3c10920e0cad2febd3e0e62

SHA512
ccd3df8072768e42c607d372c35c5e484c51a3ed24545ae29cad8aab61a1cdd2e9c8c33dfed41406566b31ed775c0ffc56859f97d8dd2859f4899af1a670b752

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start\UpdateCheck.exe

Filesize
24B

MD5
ef1cf6c52c07e01c09e7d2a478be8fef

SHA1
56561edafd61884f13374e06e39a8cecb9313a5e

SHA256
27eef8746ec8c90b67b59555c32c432e0d679fd8e38d9c635efdd1857d480a52

SHA512
9fb10e7e08b0ff5575e6ac8986d95c3df6c0eb0fcc2a93fb758d943de4a939999c09d5849120eeb18912c945d6c3ecef20b27fbd8a4a1f3852d385a6fbd92bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sabtask.xml

Filesize
2KB

MD5
bbad05f872777904f019634403400c22

SHA1
406894d9c71b7705f333cc93b6ae36e3d6785507

SHA256
cab61ef9bd58338d1cc4815c0f4725985b41196032c66b5a4d0a92d3bc5f1a6c

SHA512
27eb2bd9d3e65f6a3ef8e176bb5e868be1898781aab17bdf024db8c8c5cb3941dea053a03cc3f281a3201454b6cc849f2e47fd91a691e8697cb9b06bd9d1dbb7

Download Submit
memory/512-596-0x00000256C4B20000-0x00000256C4B40000-memory.dmp

Filesize
128KB

Download
memory/512-608-0x00000256C4F30000-0x00000256C4F50000-memory.dmp

Filesize
128KB

Download
memory/512-580-0x00000256C3A00000-0x00000256C3B00000-memory.dmp

Filesize
1024KB

Download
memory/512-579-0x00000256C3A00000-0x00000256C3B00000-memory.dmp

Filesize
1024KB

Download
memory/512-584-0x00000256C4B60000-0x00000256C4B80000-memory.dmp

Filesize
128KB

Download
memory/960-875-0x0000024A3BB00000-0x0000024A3BC00000-memory.dmp

Filesize
1024KB

Download
memory/960-892-0x0000024A3CC20000-0x0000024A3CC40000-memory.dmp

Filesize
128KB

Download
memory/960-908-0x0000024A3D020000-0x0000024A3D040000-memory.dmp

Filesize
128KB

Download
memory/960-876-0x0000024A3BB00000-0x0000024A3BC00000-memory.dmp

Filesize
1024KB

Download
memory/960-880-0x0000024A3CC60000-0x0000024A3CC80000-memory.dmp

Filesize
128KB

Download
memory/1016-1182-0x000001B8DB940000-0x000001B8DB960000-memory.dmp

Filesize
128KB

Download
memory/1016-1174-0x000001B8DB530000-0x000001B8DB550000-memory.dmp

Filesize
128KB

Download
memory/1016-1161-0x000001B8DA420000-0x000001B8DA520000-memory.dmp

Filesize
1024KB

Download
memory/1016-1166-0x000001B8DB570000-0x000001B8DB590000-memory.dmp

Filesize
128KB

Download
memory/1020-1593-0x0000029007D70000-0x0000029007E70000-memory.dmp

Filesize
1024KB

Download
memory/1340-1295-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download
memory/1344-445-0x00000226CB960000-0x00000226CB980000-memory.dmp

Filesize
128KB

Download
memory/1344-434-0x00000226CB9A0000-0x00000226CB9C0000-memory.dmp

Filesize
128KB

Download
memory/1344-459-0x00000226CBD70000-0x00000226CBD90000-memory.dmp

Filesize
128KB

Download
memory/1708-268-0x0000025E66770000-0x0000025E66790000-memory.dmp

Filesize
128KB

Download
memory/1708-263-0x0000025E65600000-0x0000025E65700000-memory.dmp

Filesize
1024KB

Download
memory/1708-275-0x0000025E66730000-0x0000025E66750000-memory.dmp

Filesize
128KB

Download
memory/1708-291-0x0000025E66B40000-0x0000025E66B60000-memory.dmp

Filesize
128KB

Download
memory/1708-265-0x0000025E65600000-0x0000025E65700000-memory.dmp

Filesize
1024KB

Download
memory/1752-873-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/2020-427-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2820-722-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3392-1591-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3532-1439-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3628-261-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3812-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3812-720-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3812-248-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3812-422-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3812-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3812-426-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3812-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3812-4-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3812-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3812-260-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3856-1160-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3860-577-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3896-1021-0x0000013B6FC00000-0x0000013B6FD00000-memory.dmp

Filesize
1024KB

Download
memory/3896-1037-0x0000013B70AD0000-0x0000013B70AF0000-memory.dmp

Filesize
128KB

Download
memory/3896-1047-0x0000013B710E0000-0x0000013B71100000-memory.dmp

Filesize
128KB

Download
memory/3896-1026-0x0000013B70B10000-0x0000013B70B30000-memory.dmp

Filesize
128KB

Download
memory/3896-1022-0x0000013B6FC00000-0x0000013B6FD00000-memory.dmp

Filesize
1024KB

Download
memory/4316-1298-0x000001CCB6120000-0x000001CCB6220000-memory.dmp

Filesize
1024KB

Download
memory/4316-1302-0x000001CCB7280000-0x000001CCB72A0000-memory.dmp

Filesize
128KB

Download
memory/4316-1311-0x000001CCB7240000-0x000001CCB7260000-memory.dmp

Filesize
128KB

Download
memory/4316-1330-0x000001CCB7650000-0x000001CCB7670000-memory.dmp

Filesize
128KB

Download
memory/4340-757-0x000001D0070C0000-0x000001D0070E0000-memory.dmp

Filesize
128KB

Download
memory/4340-739-0x000001D006AA0000-0x000001D006AC0000-memory.dmp

Filesize
128KB

Download
memory/4340-729-0x000001D006AE0000-0x000001D006B00000-memory.dmp

Filesize
128KB

Download
memory/4616-1443-0x0000023EFDF20000-0x0000023EFE020000-memory.dmp

Filesize
1024KB

Download
memory/4616-1446-0x0000023EFF080000-0x0000023EFF0A0000-memory.dmp

Filesize
128KB

Download
memory/4616-1468-0x0000023EFF450000-0x0000023EFF470000-memory.dmp

Filesize
128KB

Download
memory/4616-1457-0x0000023EFF040000-0x0000023EFF060000-memory.dmp

Filesize
128KB

Download
memory/4652-247-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/4652-77-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/4944-1019-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download