File name:

StartBack AiO 1.0.111.exe

Full analysis: https://app.any.run/tasks/06186fb9-ebab-42bb-9eef-32c35de21d5c
Verdict: Malicious activity
Analysis date: October 01, 2024, 09:43:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7249F6835315AA984E8CC55DC4570F39

SHA1:

B9336055CF8885D8B6729B02C6396CEAFEB2FF24

SHA256:

A1680DB8F92E06E2CB95A1D1B695B782BBFDBB6398F461ECA7B100F8643E1AD5

SSDEEP:

98304:FPriRyXVUnqmtdRT5rjxI9T4X6N4EYeOMh+CRWvh1OKFiCyGNR04NIbsNEpUqEoS:gsab0LzUC7wCY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • StartIsBackCfg.exe (PID: 4792)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • StartBack AiO 1.0.111.tmp (PID: 1556)

    • Executable content was dropped or overwritten

      • StartBack AiO 1.0.111.exe (PID: 5476)
      • StartBack AiO 1.0.111.tmp (PID: 1556)
      • StartIsBackCfg.exe (PID: 4792)

    • Process drops legitimate windows executable

      • StartBack AiO 1.0.111.tmp (PID: 1556)

    • Uses TASKKILL.EXE to kill process

      • StartIsBackCfg.exe (PID: 4792)

    • The process executes via Task Scheduler

      • explorer.exe (PID: 3180)
      • PLUGScheduler.exe (PID: 2592)
      • StartScreen.exe (PID: 4432)

    • Application launched itself

      • StartIsBackCfg.exe (PID: 6028)

    • Uses REG/REGEDIT.EXE to modify registry

      • StartBack AiO 1.0.111.tmp (PID: 1556)

  • INFO

    • Checks supported languages

      • StartBack AiO 1.0.111.exe (PID: 5476)
      • StartBack AiO 1.0.111.tmp (PID: 1556)

    • Create files in a temporary directory

      • StartBack AiO 1.0.111.exe (PID: 5476)
      • StartBack AiO 1.0.111.tmp (PID: 1556)

    • Reads the computer name

      • StartBack AiO 1.0.111.tmp (PID: 1556)

    • Application launched itself

      • firefox.exe (PID: 1256)
      • firefox.exe (PID: 2476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 25600
UninitializedDataSize: -
EntryPoint: 0x9c14
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.111.0
ProductVersionNumber: 1.0.111.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: LR
FileDescription: StartBack Setup
FileVersion: 1.0.111.0
LegalCopyright: Copyright 2007-2024 LRepacks
ProductName: StartBack
ProductVersion: 1.0.111
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
313
Monitored processes
46
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start startback aio 1.0.111.exe startback aio 1.0.111.tmp regedit.exe startisbackcfg.exe no specs startisbackcfg.exe startscreen.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs explorer.exe no specs explorer.exe startscreen.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe startisbackcfg.exe no specs mobsync.exe no specs startisbackcfg.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs taskmgr.exe no specs taskmgr.exe plugscheduler.exe no specs startscreen.exe no specs startback aio 1.0.111.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1144taskkill.exe /F /IM explorer*C:\Windows\SysWOW64\taskkill.exeStartIsBackCfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1248"C:\Program Files (x86)\StartIsBack\\StartIsBackCfg.exe" /appearanceC:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe
StartIsBackCfg.exe
User:
admin
Integrity Level:
MEDIUM
Description:
StartIsBack configuration
Exit code:
0
Version:
5.9.20.3594
Modules
Images
c:\program files (x86)\startisback\startisbackcfg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
1252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1256"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1308"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll
1432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1556"C:\Users\admin\AppData\Local\Temp\is-PR9UF.tmp\StartBack AiO 1.0.111.tmp" /SL5="$10036E,6087217,64512,C:\Users\admin\AppData\Local\Temp\StartBack AiO 1.0.111.exe" C:\Users\admin\AppData\Local\Temp\is-PR9UF.tmp\StartBack AiO 1.0.111.tmp
StartBack AiO 1.0.111.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pr9uf.tmp\startback aio 1.0.111.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1636schtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\admin\AppData\Local\Temp\sibtask.xml"C:\Windows\SysWOW64\schtasks.exeStartIsBackCfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2224"C:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\StartIsBackCfg.exe" /trialoverC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\StartIsBackCfg.exeStartBack AiO 1.0.111.tmp
User:
admin
Integrity Level:
HIGH
Description:
StartIsBack configuration
Exit code:
0
Version:
5.9.20.3594
Modules
Images
c:\users\admin\appdata\local\temp\is-i8ucl.tmp\sib\startisbackcfg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
45 159
Read events
44 786
Write events
343
Delete events
30

Modification events

(PID) Process:(1556) StartBack AiO 1.0.111.tmpKey:HKEY_CURRENT_USER\SOFTWARE\StartIsBack
Operation:writeName:AutoUpdates
Value:
0
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\StartIsBack\
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:Publisher
Value:
startisback.com
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:NoModify
Value:
1
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:NoRepair
Value:
1
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:DisplayName
Value:
StartIsBack++
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe,0
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:DisplayVersion
Value:
2.9.20
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe /uninstall
(PID) Process:(4792) StartIsBackCfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32
Operation:writeName:ThreadingModel
Value:
Apartment
Executable files
51
Suspicious files
284
Text files
440
Unknown types
11

Dropped files

PID
Process
Filename
Type
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\is-IQFDH.tmp
MD5:
SHA256:
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\UpdateCheck.exe
MD5:
SHA256:
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\Orbs\Shamrock.orbexecutable
MD5:EF55E07E1A2E47BB2BB749046CD150B2
SHA256:1A8DAC51758C66A1BB03FBC227B5EDB52EF7379FA3603B62EB3307005D06C9B5
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\VclStylesInno.dllexecutable
MD5:B0CA93CEB050A2FEFF0B19E65072BBB5
SHA256:0E93313F42084D804B9AC4BE53D844E549CFCAF19E6F276A3B0F82F01B9B2246
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\msimg32.dllexecutable
MD5:5E1BB511C41A1199B40CC2A46219199B
SHA256:7AA4815E7379401328D8E241EB443C86620AC0B84850F6F1B41ADD74E3490EDE
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmpimage
MD5:641328C75E6B117545211DB22DAFCAA0
SHA256:76A72C9AD77843B58223DD588483AC1265A31C15AAEB47EE66D1925DE787644B
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\ISTask.dllexecutable
MD5:86A1311D51C00B278CB7F27796EA442E
SHA256:E916BDF232744E00CBD8D608168A019C9F41A68A7E8390AA48CFB525276C483D
1556StartBack AiO 1.0.111.tmpC:\Users\admin\AppData\Local\Temp\is-I8UCL.tmp\SIB\Orbs\is-OB2SR.tmpexecutable
MD5:EF55E07E1A2E47BB2BB749046CD150B2
SHA256:1A8DAC51758C66A1BB03FBC227B5EDB52EF7379FA3603B62EB3307005D06C9B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
128
DNS requests
117
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1336
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3148
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3148
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1248
StartIsBackCfg.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
1256
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1804
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6604
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1248
StartIsBackCfg.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDCDBiIDOtWEZZFv2fw%3D%3D
unknown
whitelisted
1248
StartIsBackCfg.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4288
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4288
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1336
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1336
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.142
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
go.microsoft.com
  • 2.19.246.123
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
Process
Message
regedit.exe
REGEDIT: CreateFile failed, GetLastError() = 2
explorer.exe
Purging StartIsBack cache directory
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
StartBack AiO 1.0.111.exe