9b443b87b22ce548a2d6d203cc92cf6e7b78116896779fd336405aa48005ca04

Analysis

max time kernel
220s
max time network
225s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stardock_Start11_v2.0.5.4_RePack_by_xetrin.rar
Size

37.4MB
MD5

0aaba9530b7136b98f47f4f470eaa3c4
SHA1

497cd66e041e435a77adced517292cdf8a58078d
SHA256

9b443b87b22ce548a2d6d203cc92cf6e7b78116896779fd336405aa48005ca04
SHA512

e80342676c49d59d267742c12572ff474a98be64e0ba744b80a5a62b8525706f4208a883e0af7a94ce259f162531129837dac3ca41e33ac3e1375fdb71bc055b
SSDEEP

786432:dDnH89gHJTs4dzmPwMDoBdWp14jg/6SyeGcmVohB/jiEo4zcjelR2jX6+DKt8/:dDH7pBsPoBArn/OeGJuhhiEo6cq+DKt2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4300	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1384	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1104	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
420	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Loads dropped DLL 3 IoCs

pid	Process
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3088	2476	WerFault.exe	93
2212	2476	WerFault.exe	93
4380	4240	WerFault.exe	104
3460	4240	WerFault.exe	104
3356	4844	WerFault.exe	123
3780	4844	WerFault.exe	123
4552	1360	WerFault.exe	134
4804	1360	WerFault.exe	134

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-176679640-153325197-3537295364-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3116	reg.exe
3644	reg.exe
228	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2420	NOTEPAD.EXE
4380	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2924	7zFM.exe
Token: 35	2924	7zFM.exe
Token: SeSecurityPrivilege	2924	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2924	7zFM.exe
2924	7zFM.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
2476	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
2572	MiniSearchHost.exe
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4240	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
4844	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
1360	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2924	1216	cmd.exe	80
PID 1216 wrote to memory of 2924	1216	cmd.exe	80
PID 1384 wrote to memory of 1848	1384	cmd.exe	89
PID 1384 wrote to memory of 1848	1384	cmd.exe	89
PID 1384 wrote to memory of 228	1384	cmd.exe	90
PID 1384 wrote to memory of 228	1384	cmd.exe	90
PID 1384 wrote to memory of 776	1384	cmd.exe	91
PID 1384 wrote to memory of 776	1384	cmd.exe	91
PID 1384 wrote to memory of 4300	1384	cmd.exe	92
PID 1384 wrote to memory of 4300	1384	cmd.exe	92
PID 1384 wrote to memory of 4300	1384	cmd.exe	92
PID 4300 wrote to memory of 2476	4300	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	93
PID 4300 wrote to memory of 2476	4300	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	93
PID 4300 wrote to memory of 2476	4300	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	93
PID 1384 wrote to memory of 4240	1384	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	104
PID 1384 wrote to memory of 4240	1384	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	104
PID 1384 wrote to memory of 4240	1384	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	104
PID 1532 wrote to memory of 1756	1532	cmd.exe	119
PID 1532 wrote to memory of 1756	1532	cmd.exe	119
PID 1532 wrote to memory of 3116	1532	cmd.exe	120
PID 1532 wrote to memory of 3116	1532	cmd.exe	120
PID 1532 wrote to memory of 4900	1532	cmd.exe	121
PID 1532 wrote to memory of 4900	1532	cmd.exe	121
PID 1532 wrote to memory of 1104	1532	cmd.exe	122
PID 1532 wrote to memory of 1104	1532	cmd.exe	122
PID 1532 wrote to memory of 1104	1532	cmd.exe	122
PID 1104 wrote to memory of 4844	1104	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	123
PID 1104 wrote to memory of 4844	1104	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	123
PID 1104 wrote to memory of 4844	1104	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	123
PID 564 wrote to memory of 2116	564	cmd.exe	130
PID 564 wrote to memory of 2116	564	cmd.exe	130
PID 564 wrote to memory of 3644	564	cmd.exe	131
PID 564 wrote to memory of 3644	564	cmd.exe	131
PID 564 wrote to memory of 4316	564	cmd.exe	132
PID 564 wrote to memory of 4316	564	cmd.exe	132
PID 564 wrote to memory of 420	564	cmd.exe	133
PID 564 wrote to memory of 420	564	cmd.exe	133
PID 564 wrote to memory of 420	564	cmd.exe	133
PID 420 wrote to memory of 1360	420	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	134
PID 420 wrote to memory of 1360	420	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	134
PID 420 wrote to memory of 1360	420	Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe	134

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Silent Installing Rus.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\mode.com
  mode con:cols=143 lines=15
  2⤵
  PID:1848
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:228
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:776
- C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
  "C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe" /INSTALLER /LANG=RUS /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\is-0A0K0.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-0A0K0.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp" /SL5="$1028C,36745588,287232,C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe" /INSTALLER /LANG=RUS /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 888
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 924
      4⤵
      Program crash
      PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2476 -ip 2476
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2476 -ip 2476
1⤵
PID:3092

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
"C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\is-MBFKA.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MBFKA.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp" /SL5="$F027E,36745588,287232,C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 752
    3⤵
    - Program crash
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 752
    3⤵
    - Program crash
    PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4240 -ip 4240
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4240 -ip 4240
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4876

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3368

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Silent Installing Eng.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\mode.com
  mode con:cols=143 lines=15
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:3116
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:4900
- C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
  "C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe" /INSTALLER /LANG=ENG /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\is-LTQN1.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LTQN1.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp" /SL5="$50278,36745588,287232,C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe" /INSTALLER /LANG=ENG /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 880
      4⤵
      Program crash
      PID:3356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 880
      4⤵
      Program crash
      PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4844 -ip 4844
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4844 -ip 4844
1⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Silent Installing Eng.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\system32\mode.com
  mode con:cols=143 lines=15
  2⤵
  PID:2116
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:3644
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:4316
- C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe
  "C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe" /INSTALLER /LANG=ENG /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Users\Admin\AppData\Local\Temp\is-EROU6.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-EROU6.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp" /SL5="$9026C,36745588,287232,C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe" /INSTALLER /LANG=ENG /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 880
      4⤵
      Program crash
      PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 880
      4⤵
      Program crash
      PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1360 -ip 1360
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1360 -ip 1360
1⤵
PID:2452

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9d5ff7a0da7bacf57a0b1a3581ad9b53

SHA1
4e410c9ef6ce19a9613b4b27d78ce39bcfb340f7

SHA256
ef78492e47948eaf599a376d3fffcc009336c9ae4ca9aa60d74cde80055c2858

SHA512
afb923e6eee3f76c96e13ac5504382ab7f0c97f5b118f80b4d14d337c2f252da884c9a1eaeea8d8018853e4969a7fa0349c2b7e180facb1f811c2c90d11b9e41

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
431c3ef55fc269e403fd7c4fd78f64a8

SHA1
a88b712a7a37a3022ef8036ad891d5d40c9a58ad

SHA256
b71dea6dc7edda12c23da49e8bcc12fa6dad6e7a519df6701ac0a18b1b16c662

SHA512
85552fa6da546a9cd55874aeca4a8fec4f53989d71366a3b89dfd0c1180dd863f725db7db6faea2e4b195f47f786424c6e2c72ac9994448f31872ef2924e2c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0A0K0.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Filesize
1.2MB

MD5
1017852954129e230f2b5dc336fae284

SHA1
61cada86de435f716bdeb217a7f4575228031f6e

SHA256
bbc5fde76229626b55c64879989d85b2ae3e96728d2d6c69aa5606f4b841a43c

SHA512
f0ccabfdb6e4977e5a6be7e86770abb4647509c037c58e7b8ed0d9647c41ed04413ab430c73999e4a099ed395660116d77167f3c1ade041876208eb0bf23cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KO4DC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LTQN1.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Filesize
2.2MB

MD5
9b6f8ae4953ba676b1c38e223f4931bd

SHA1
ac98a825aacce6e59f952163c055a091d078f984

SHA256
e649bfbb52357d7572efa6232ef767c39ff25dfac6796bc5994ab056a5600a9c

SHA512
9092a82e134067403700f2b9805a50fa15d4a7fb6345c1a73295aba3c5e24713b0a6deaa25b12206e62d8ee8d5f40ee864981208be3dbe3b7c5456a74d7d6012

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LTQN1.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Filesize
1.8MB

MD5
444dcad08b9e6886f9595d9551465546

SHA1
1638c208d2bd4d8804c69c77b2d13bf9234bb4c4

SHA256
027cc5d22c504ef8bb700e6340f94f9624a900c1efa88179c354c570737b7b83

SHA512
369025f6bac6f544d4edf4bf4ac299091530812047649d0b0115b35dc8cb370736e775fa018b2be72f1326db3a46317542cd937dd075869b55ea3b4c79638f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MBFKA.tmp\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.tmp

Filesize
4.1MB

MD5
f801bd9bd3c8737bf40f94b0241b1a16

SHA1
faea9bbcd6de3fe1681786ab02794178d65839f2

SHA256
22f61bdc5457ecd5a7f786f45828c2a25a50e8d4045578b6d930f6c8e7549ada

SHA512
9d79ec28ea1d64a5e39fb8912c3f5de4a80b4015144e82251abaf914ad2d72dbb39759df51d2dd0935bb525daa4cc3f543520ea79205963f0316d813ee5e17ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTVGA.tmp\Icon_msg.png

Filesize
4KB

MD5
c7b79609445ab802fe1ca8b100695e98

SHA1
eef99332a7733f1869a7668edec931e27df42744

SHA256
911d33f4612b335e5abc213ea00a4dfda95b79f1e4777ea4e5b0022b127fcfdf

SHA512
8583b199626f71874582edb5a00074baab38fefd4578a1cc0f7358a7bb5e996fa511f238518df408025ffc322cb04f9c6386892b9d575123164fa9217ea700ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTVGA.tmp\Icon_standart_portable.png

Filesize
16KB

MD5
05afd7fb449719ad7f2fc386193f0b49

SHA1
c311d905bfbe1ea4e878eed6bd93fcebe7bfdfd7

SHA256
a26ba0cb335e49d972d0a97ba4c25a98994487bce9eb6d45b0fa7a0626d3a8fc

SHA512
754f424d8eb7fbba0f70eae42842f35ec8ba2cf9563c7a31c0592f9c93ca5680a9d0c0ee6826036a996feed39b0c65bf571b51f83838f0d506b21305d683ce30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTVGA.tmp\Icon_telegram.png

Filesize
2KB

MD5
f2e6b557dbed664214a523767a15f07f

SHA1
b763470ba251af767b18a14d46b13faa6be9fa0d

SHA256
0370d9ca570fd28f8ae167b69821abaf2a7eb13c3559e0eaffe4b253c9d7020e

SHA512
99b3b88af12cebd8d347b31e570a2e81cf5e88ca2731d31f590f6b5f9a9893058049478496abb5fb2563b2a74788604c770c2886eeb364680dba9ba2412c4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTVGA.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Readme.txt

Filesize
3KB

MD5
46dce043e35f27ffd3a24c67e922628d

SHA1
0a086a9d65f25a525a15e82ca2c1c729b45ad0aa

SHA256
197ea2f00b8ee2f61c5732ed9149b15d23cba93986619302878f6a3e70b18e40

SHA512
79252c307d97273a00df2fd0b6d3f23b48084b759432a7a6d1d9153bfaebcff5e96fa38e5cd2f75b9d8fc725ea9ea877fdaf4eae6d48d53369503ce17e73e4df

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Silent Installing Eng.cmd

Filesize
1KB

MD5
cb830ff50dafb10fed25b28091acbe30

SHA1
4660194994be805e7f0bc7df76ab86b009b3edee

SHA256
26d56bc5ec25100dc9fed630ea787c092f79e741a26c1d3c8bd0a39d193a19ae

SHA512
abb43a1638cc3f78ec6ed907da5b520ddc134ea55d65f364ab9e9b195e8866438f5db7a3e3798132d63e68d9687115102cb8ad8352762dfe100e7be95d964d82

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Silent Installing Rus.cmd

Filesize
1KB

MD5
9e2c3edfff7ea635f17cb4ec6c21a20d

SHA1
ef7fcf048710046b99103f893494a07616ef0a3e

SHA256
01f65c23b77318a4d19975f9a8b9b33575394dfef9a64c257193f2b40544667b

SHA512
84b0f7db7b4c4dc046298c17202a92cc537d7a5abf1eab4652424a556a44d8a8fd4cf531e2033a14c422e13c3a6e6b1e06c0c28fbc217b4aa3d5c95f8d5ad66e

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe

Filesize
11.4MB

MD5
44030c585a83fd3f1762f3d6ed1b47da

SHA1
fd7ce79deb7983a0bff2dcb6f8b423cc8f3a70eb

SHA256
be9bec799a89a2c2633776ae8dddf6eae32cf8de6401dd636f2abb5a9b8ecc6a

SHA512
dd2da62a838d584b0a97f8be06b36ea1f7c82dbc44c5603019f8cfea544258583aa047ec62cb553bc7a800525c9a2efb500c39df93618afa89bd0cfc4dea88e6

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe

Filesize
5.2MB

MD5
e0c1bbb08b0a939c31c0b0721d00a4d5

SHA1
c497c4a57b8b8c4da0a2f2a8420c2fcb054edd5f

SHA256
068fcb1a04f18afa1d39589832934a5eb3173f384d4bfd92e3258b1c057215e2

SHA512
2d683de55d2197a879b085e86bb5fc330d3df01edf899f333204f7909535c7f76c783d1ca674868375a0dc4311359d19756064b6124b3dcf4b81adfc7453ff43

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe

Filesize
1.5MB

MD5
613c68853c0672c33cd3937d5f1f89d8

SHA1
701e3cc8b718cf5d765f10483b66e6d37c13e6ef

SHA256
4f6faf26c0ba042c7a4dd0fae3f84214b5e0341524f55f2b17b42ceebca37e3c

SHA512
c575ae6224ce3091c68af3886647833fdcd5b8daee8ed15cb4f1114d49f50d71485507cbd09875d966641f9c6c629a1709ed1b474153d68e3169f46ff77c81b7

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe

Filesize
5.9MB

MD5
70e1de4f892841af3869f1b3e0fe28e2

SHA1
56848f5addeb119dca34ce24116664f77db7c174

SHA256
220775f1f5091b5968751b827a2d3b6e904e3b0c86daecd522c71894c11d4199

SHA512
366794638c89083fa11bb36c1c1e287dc670a96b5708f70cd9c96af9f3afd5a2c7e12c0f5eba7bd10e92abe2bb0054ea8f305a0995ef9b39f1cb6c885c89ee0d

Download Submit
C:\Users\Admin\Desktop\Stardock_Start11_v2.0.5.4_RePack_by_xetrin\Stardock_Start11_v2.0.5.4_RePack_by_xetrin.exe

Filesize
14.9MB

MD5
2bc46b9185d3fbaac3f9092fc4134bac

SHA1
6d96d06c88e383400452ddecd3af995bfc14b47c

SHA256
3f7409e8fcc22da1e88aabf582f8e291590d49047ab028d7da65ec2d1c3d6d9c

SHA512
b18dfadd7b1a56bcc13aff1fc3744f7351de7a15d5e03da47ededca464bbfe9757be4adda3b148a8b272b833957c16ea64d52e633f3a05e7eb3f748274676edb

Download Submit
memory/420-290-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/420-373-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1104-204-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1104-287-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1360-368-0x0000000002670000-0x00000000027B0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-370-0x0000000002670000-0x00000000027B0000-memory.dmp

Filesize
1.2MB

Download
memory/1384-196-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1384-123-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2476-37-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-64-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-53-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-54-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/2476-52-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-56-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-55-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-50-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-49-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-48-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/2476-47-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-46-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-44-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-57-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2476-60-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2476-61-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-65-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-67-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-70-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-68-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-69-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2476-72-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2476-71-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-73-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-76-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-80-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-83-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-82-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-81-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/2476-79-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-77-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-78-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/2476-75-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2476-45-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/2476-74-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-66-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2476-63-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/2476-51-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2476-62-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-97-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-59-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-58-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-98-0x0000000000400000-0x0000000000832000-memory.dmp

Filesize
4.2MB

Download
memory/2476-23-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2476-99-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-43-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-39-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2476-40-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-42-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2476-41-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-25-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-24-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2476-27-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2476-26-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-28-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-38-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-35-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-36-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2476-34-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-33-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2476-32-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-30-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2476-29-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/2476-31-0x0000000002760000-0x00000000028A0000-memory.dmp

Filesize
1.2MB

Download
memory/4240-194-0x0000000002670000-0x00000000027B0000-memory.dmp

Filesize
1.2MB

Download
memory/4240-191-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/4240-192-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/4240-190-0x0000000002670000-0x00000000027B0000-memory.dmp

Filesize
1.2MB

Download
memory/4240-129-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4300-101-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4300-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4844-283-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/4844-282-0x00000000026A0000-0x00000000027E0000-memory.dmp

Filesize
1.2MB

Download
memory/4844-209-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download