Overview
overview
8Static
static
3StarVPN-FR...st.exe
windows10-2004-x64
8$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows10-2004-x64
1StarVPN.exe
windows10-2004-x64
5d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...ce.cmd
windows10-2004-x64
7resources/app.js
windows10-2004-x64
3resources/elevate.exe
windows10-2004-x64
1resources/...64.dll
windows10-2004-x64
1resources/...-1.dll
windows10-2004-x64
1resources/...64.dll
windows10-2004-x64
1resources/...pn.exe
windows10-2004-x64
1resources/...tl.exe
windows10-2004-x64
1resources/...40.dll
windows10-2004-x64
1resources/...al.exe
windows10-2004-x64
1resources/...st.exe
windows10-2004-x64
1resources/...wg.exe
windows10-2004-x64
1resources/...rd.exe
windows10-2004-x64
5resources/...tn.msi
windows10-2004-x64
6vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...PN.exe
windows10-2004-x64
4Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
StarVPN-FR1-x64-latest.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
StarVPN.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
resources/StarVPNService.cmd
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
resources/app.js
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
resources/openvpn/x64/libcrypto-3-x64.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
resources/openvpn/x64/libpkcs11-helper-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
resources/openvpn/x64/libssl-3-x64.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/openvpn/x64/openvpn.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
resources/openvpn/x64/tctl.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
resources/openvpn/x64/vcruntime140.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
resources/shadowsocks/x64/sslocal.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/wireguard/fastlist.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
resources/wireguard/x64/wg.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
resources/wireguard/x64/wireguard.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
resources/wireguard/x64/wntn.msi
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
$R0/Uninstall StarVPN.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
StarVPN.exe
-
Size
150.4MB
-
MD5
3c63b18fc7ddc2626dc61118093f0f63
-
SHA1
d24f921aae3c600cc5696bc142115f526bf648a0
-
SHA256
93b638342b85eeb2547eed26fe98b1e418e6d97aff539c71d3006c66b7e59787
-
SHA512
d9dbbe71503682487a35e0a413c03ad75fdd4a9c578f38af55bc4f42ec8c753c5494f836a7f66d887b40f3dcce71d9272171ddc6de0df28fdcffe65156e2549f
-
SSDEEP
1572864:XlAhthKM29V6LLWANUB9IinJn1cpGN4vM+JlhrZnQ9I4FdUrczKrk4Ze2OC2+S:MtSD64Jnqrt5v2b
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation StarVPN.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation StarVPN.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C StarVPN.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 StarVPN.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 StarVPN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4952 wmic.exe Token: SeSecurityPrivilege 4952 wmic.exe Token: SeTakeOwnershipPrivilege 4952 wmic.exe Token: SeLoadDriverPrivilege 4952 wmic.exe Token: SeSystemProfilePrivilege 4952 wmic.exe Token: SeSystemtimePrivilege 4952 wmic.exe Token: SeProfSingleProcessPrivilege 4952 wmic.exe Token: SeIncBasePriorityPrivilege 4952 wmic.exe Token: SeCreatePagefilePrivilege 4952 wmic.exe Token: SeBackupPrivilege 4952 wmic.exe Token: SeRestorePrivilege 4952 wmic.exe Token: SeShutdownPrivilege 4952 wmic.exe Token: SeDebugPrivilege 4952 wmic.exe Token: SeSystemEnvironmentPrivilege 4952 wmic.exe Token: SeRemoteShutdownPrivilege 4952 wmic.exe Token: SeUndockPrivilege 4952 wmic.exe Token: SeManageVolumePrivilege 4952 wmic.exe Token: 33 4952 wmic.exe Token: 34 4952 wmic.exe Token: 35 4952 wmic.exe Token: 36 4952 wmic.exe Token: SeIncreaseQuotaPrivilege 4952 wmic.exe Token: SeSecurityPrivilege 4952 wmic.exe Token: SeTakeOwnershipPrivilege 4952 wmic.exe Token: SeLoadDriverPrivilege 4952 wmic.exe Token: SeSystemProfilePrivilege 4952 wmic.exe Token: SeSystemtimePrivilege 4952 wmic.exe Token: SeProfSingleProcessPrivilege 4952 wmic.exe Token: SeIncBasePriorityPrivilege 4952 wmic.exe Token: SeCreatePagefilePrivilege 4952 wmic.exe Token: SeBackupPrivilege 4952 wmic.exe Token: SeRestorePrivilege 4952 wmic.exe Token: SeShutdownPrivilege 4952 wmic.exe Token: SeDebugPrivilege 4952 wmic.exe Token: SeSystemEnvironmentPrivilege 4952 wmic.exe Token: SeRemoteShutdownPrivilege 4952 wmic.exe Token: SeUndockPrivilege 4952 wmic.exe Token: SeManageVolumePrivilege 4952 wmic.exe Token: 33 4952 wmic.exe Token: 34 4952 wmic.exe Token: 35 4952 wmic.exe Token: 36 4952 wmic.exe Token: SeShutdownPrivilege 3460 StarVPN.exe Token: SeCreatePagefilePrivilege 3460 StarVPN.exe Token: SeIncreaseQuotaPrivilege 4940 wmic.exe Token: SeSecurityPrivilege 4940 wmic.exe Token: SeTakeOwnershipPrivilege 4940 wmic.exe Token: SeLoadDriverPrivilege 4940 wmic.exe Token: SeSystemProfilePrivilege 4940 wmic.exe Token: SeSystemtimePrivilege 4940 wmic.exe Token: SeProfSingleProcessPrivilege 4940 wmic.exe Token: SeIncBasePriorityPrivilege 4940 wmic.exe Token: SeCreatePagefilePrivilege 4940 wmic.exe Token: SeBackupPrivilege 4940 wmic.exe Token: SeRestorePrivilege 4940 wmic.exe Token: SeShutdownPrivilege 4940 wmic.exe Token: SeDebugPrivilege 4940 wmic.exe Token: SeSystemEnvironmentPrivilege 4940 wmic.exe Token: SeRemoteShutdownPrivilege 4940 wmic.exe Token: SeUndockPrivilege 4940 wmic.exe Token: SeManageVolumePrivilege 4940 wmic.exe Token: 33 4940 wmic.exe Token: 34 4940 wmic.exe Token: 35 4940 wmic.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe 3460 StarVPN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3460 wrote to memory of 4952 3460 StarVPN.exe 89 PID 3460 wrote to memory of 4952 3460 StarVPN.exe 89 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 4440 3460 StarVPN.exe 91 PID 3460 wrote to memory of 1356 3460 StarVPN.exe 93 PID 3460 wrote to memory of 1356 3460 StarVPN.exe 93 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94 PID 3460 wrote to memory of 944 3460 StarVPN.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\StarVPN.exe"C:\Users\Admin\AppData\Local\Temp\StarVPN.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\StarVPN.exe"C:\Users\Admin\AppData\Local\Temp\StarVPN.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\StarVPN" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1728 --field-trial-handle=1868,i,974009519220743804,15431095058819221805,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4440
-
-
C:\Users\Admin\AppData\Local\Temp\StarVPN.exe"C:\Users\Admin\AppData\Local\Temp\StarVPN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\StarVPN" --mojo-platform-channel-handle=2152 --field-trial-handle=1868,i,974009519220743804,15431095058819221805,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\StarVPN.exe"C:\Users\Admin\AppData\Local\Temp\StarVPN.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\StarVPN" --app-user-model-id= --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2468 --field-trial-handle=1868,i,974009519220743804,15431095058819221805,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:12⤵
- Checks computer location settings
PID:944
-
-
C:\Windows\system32\cmd.execmd.exe /d /s /c "netsh "wlan" "show" "interface""2⤵PID:2188
-
C:\Windows\system32\netsh.exenetsh "wlan" "show" "interface"3⤵PID:2972
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:5044
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:1060
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:452
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:5108
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:4152
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:4868
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:4532
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:2296
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:4872
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:3828
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:4612
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:3096
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table2⤵PID:5036
-
-
C:\Windows\System32\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table2⤵PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
300B
MD500ebf7191eb82b69bb59f45b78c5eeda
SHA185d94745970161f2c715aa65511c6addffca5b43
SHA256ec2231d9bd8e8f25b3d305b17adf38fa3f87b6610be5c3138b3f1d0f5ae5b9c5
SHA5129c2f2073630aaaeb085b0db4412353e7da3db019ebd0bc935b7787987f79a6c0c1f3ca2de3ed1da0206dc33058e7eec5481abff4d358ba984452426fb88ca2c5
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
4KB
MD54da17de9ef39dcee41c74ede4b75a219
SHA128ab458b62c2415baad088725ae99c7c0319534a
SHA256910c61a961ea870a1e1e8705cc65a37006a27aa310c72bfddb81c6f7b7118ca3
SHA5127b23523c4210539939293ba99f1da975a1eb94f70db10d9beac15ba4da5178039930cb00252414d1f1b0593db5bcecd37829413e44a62ee487732c2b3cd108f6