File name:

Stardock.Fences.4.0.7.2.x64.Multilingual.7z

Full analysis: https://app.any.run/tasks/2888cd69-6cac-4753-a5ab-20cd4b70cabf
Verdict: Malicious activity
Analysis date: October 23, 2023, 19:11:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

91865DE95E4B25AE6EB4499B3226DD36

SHA1:

E5A379866FBA16B16183C0823CAB0CC5E8A3EF82

SHA256:

726AF85B273277BCC9AD7DBB2E61E2419A84B840FFD675F6E8E86A302BD934E8

SSDEEP:

98304:1o3El6PXhYD29YyylLRQI64XENv0z+dFRT1MB19sPGuLPCn6mL8vhhR9paxO2L7E:KQSmcT/tkEE8y6jZEsvhVwCcVW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Fences4-sd-setup.exe (PID: 3284)
      • irsetup.exe (PID: 3740)
      • stardock.fences.3.0.5.x64-patch.exe (PID: 2640)
      • cmd.exe (PID: 3720)

    • Loads dropped or rewritten executable

      • irsetup.exe (PID: 3740)

    • Application was dropped or rewritten from another process

      • Fences4-sd-setup.exe (PID: 3872)
      • Fences4-sd-setup.exe (PID: 3284)
      • irsetup.exe (PID: 3740)
      • GetMachineSID.exe (PID: 3148)
      • Fences.exe (PID: 2004)
      • DeElevate.exe (PID: 1864)
      • Fences.exe (PID: 2512)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Fences4-sd-setup.exe (PID: 3284)
      • irsetup.exe (PID: 3740)

    • Reads the Windows owner or organization settings

      • irsetup.exe (PID: 3740)

    • The process exported the data from the registry

      • irsetup.exe (PID: 3740)

    • Checks Windows Trust Settings

      • irsetup.exe (PID: 3740)

    • Reads Microsoft Outlook installation path

      • irsetup.exe (PID: 3740)

    • Reads security settings of Internet Explorer

      • irsetup.exe (PID: 3740)

    • Reads settings of System Certificates

      • irsetup.exe (PID: 3740)

    • Adds/modifies Windows certificates

      • Fences4-sd-setup.exe (PID: 3284)

    • Starts CMD.EXE for commands execution

      • irsetup.exe (PID: 3740)
      • stardock.fences.3.0.5.x64-patch.exe (PID: 2640)

    • Reads Internet Explorer settings

      • irsetup.exe (PID: 3740)

    • Executing commands from ".cmd" file

      • irsetup.exe (PID: 3740)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 328)

    • Application launched itself

      • WinRAR.exe (PID: 3412)

    • Executing commands from a ".bat" file

      • stardock.fences.3.0.5.x64-patch.exe (PID: 2640)

  • INFO

    • Checks supported languages

      • Fences4-sd-setup.exe (PID: 3284)
      • irsetup.exe (PID: 3740)
      • GetMachineSID.exe (PID: 3148)
      • Fences.exe (PID: 2004)
      • DeElevate.exe (PID: 1864)
      • Fences.exe (PID: 2512)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3412)
      • WinRAR.exe (PID: 3512)

    • Create files in a temporary directory

      • irsetup.exe (PID: 3740)
      • Fences4-sd-setup.exe (PID: 3284)
      • reg.exe (PID: 3244)
      • GetMachineSID.exe (PID: 3148)

    • Reads the computer name

      • irsetup.exe (PID: 3740)
      • Fences4-sd-setup.exe (PID: 3284)
      • Fences.exe (PID: 2004)
      • GetMachineSID.exe (PID: 3148)
      • Fences.exe (PID: 2512)

    • Checks proxy server information

      • irsetup.exe (PID: 3740)

    • Reads the machine GUID from the registry

      • irsetup.exe (PID: 3740)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 3740)

    • Creates files in the program directory

      • irsetup.exe (PID: 3740)

    • Manual execution by a user

      • Fences.exe (PID: 2512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
38
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start winrar.exe no specs fences4-sd-setup.exe no specs fences4-sd-setup.exe irsetup.exe reg.exe no specs getmachinesid.exe no specs cmd.exe no specs fences.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs winrar.exe no specs deelevate.exe no specs explorer.exe no specs fences.exe stardock.fences.3.0.5.x64-patch.exe no specs stardock.fences.3.0.5.x64-patch.exe cmd.exe no specs unngen.exe no specs ngen.exe no specs cmd.exe no specs cmd.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs movefile.exe no specs fences.exe

Process information

PID
CMD
Path
Indicators
Parent process
328C:\Windows\system32\cmd.exe /c ""C:\Program Files\Stardock\Fences\1xuninstall.cmd" "C:\Windows\System32\cmd.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
560"C:\Program Files\Stardock\Fences\Fences.exe" C:\Program Files\Stardock\Fences\Fences.exe
explorer.exe
User:
admin
Company:
Stardock Corporation
Integrity Level:
MEDIUM
Description:
Fences Settings
Exit code:
0
Version:
4.0.7.2
664movefile /accepteula "SdAppServices.dll.todo" "SdAppServices.dll"C:\Program Files\Stardock\Fences\movefile.execmd.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Sysinternals Movefile
Exit code:
0
Version:
1.01
760movefile /accepteula "Stardock.ApplicationServices.dll" ""C:\Program Files\Stardock\Fences\movefile.execmd.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Sysinternals Movefile
Exit code:
0
Version:
1.01
1400C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1864"C:\Program Files\Stardock\Fences\DeElevate.exe" "C:\Program Files\Stardock\Fences\Fences.exe"C:\Program Files\Stardock\Fences\DeElevate.exeirsetup.exe
User:
admin
Company:
Stardock Corporation
Integrity Level:
HIGH
Description:
De-elevation tool
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\program files\stardock\fences\deelevate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\stardock\fences\deelevator.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
2004"C:\Program Files\Stardock\Fences\Fences.exe" /installC:\Program Files\Stardock\Fences\Fences.exe
irsetup.exe
User:
admin
Company:
Stardock Corporation
Integrity Level:
HIGH
Description:
Fences Settings
Exit code:
3762504530
Version:
4.0.7.2
Modules
Images
c:\program files\stardock\fences\fences.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2080movefile /accepteula "DesktopDock.dll" ""C:\Program Files\Stardock\Fences\movefile.execmd.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Sysinternals Movefile
Exit code:
0
Version:
1.01
2096C:\Windows\system32\reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{10CD364B-FFCC-48BE-B469-B9622A033075}" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2124movefile /accepteula "SdAppServices.dll" ""C:\Program Files\Stardock\Fences\movefile.execmd.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Sysinternals Movefile
Exit code:
0
Version:
1.01
Total events
10 597
Read events
10 476
Write events
120
Delete events
1

Modification events

(PID) Process:(3412) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D0000000002000000000010660000000100002000000048832D3FD0459F35F292D4F0571B992C6EB9F500D4ED7BC3B99927FC5331D217000000000E80000000020000200000003EFBFF3AEC091353AF9E58D48DF2D06E9D1BDED94E4937159293C20E513DDF0F3000000087034FE3522EDDAC6E83C331CAE7E3CB92B187260C4DAD8D1C31F9039AB30BE9E56E6C6EE2A54DD7C0FCB3257D6FF55F4000000040B806FFF8B32ABD66EABA7F35A86503B0F300E1B9A976FC4B3F6328F133A31ACB461ADFC86BE84974CB3AD9119C225504F24589D1CDC1655DA54BABE9CEF265
(PID) Process:(3412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
56
Suspicious files
18
Text files
135
Unknown types
0

Dropped files

PID
Process
Filename
Type
3412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3412.28366\Stardock.Fences.4.0.7.2.x64.Multilingual\Patch-AMPED\AMPED\AMPED.txttext
MD5:4CA637758356B1127E8D265B842B6307
SHA256:224A4E40AC827974D15FADEFD26769C2B65B85698901615AF9AF3EA3BBA23BCF
3412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3412.28366\Stardock.Fences.4.0.7.2.x64.Multilingual\Fences4-sd-setup.exeexecutable
MD5:BBD6A379E6653D0B51BA59EFFCA58A0B
SHA256:73BFDC4B79C266011A0070F77D16BCD85302B1C6077F8DE13CB1C6A0670C1543
3412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3412.28366\Stardock.Fences.4.0.7.2.x64.Multilingual\Patch-AMPED.rarcompressed
MD5:F6AFB26E4670691B05A9123293BDAC92
SHA256:8C06AA8127D02105D17F52B4B83F4E080AECEDB8B368277FF269B991915DBF96
3284Fences4-sd-setup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:68AC216F38A5F7C823712C216CA4B060
SHA256:748D48D246526E2A79EDCDE87255FFA5387E3BCC94F6CA5E59589E07E683CD80
3740irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:A75DF95333BBCA5F86642CC5F7C1CC8E
SHA256:70EC6D9037C0C582C0D128A3155A535D5D0B0675229420E80ABEA2B55F9F6E40
3740irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPGimage
MD5:AC40DED6736E08664F2D86A65C47EF60
SHA256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
3740irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:3220A6AEFB4FC719CC8849F060859169
SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
3740irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exeexecutable
MD5:55BBF335F75F2A2FE0A5DAF603964D41
SHA256:723ADAE0E69127A6BFBC65C5EF552A351264205EA5E2BC3B80E505FEAA5D0E43
3740irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmdexecutable
MD5:6EEC47AB86D212FE3ED0F56985C8E817
SHA256:D0B2FA60E707982899ECD8C4DC462721C82491245B26721A7C0E840C5F557AED
3412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3412.28366\Stardock.Fences.4.0.7.2.x64.Multilingual\Patch-AMPED\amped.nfotext
MD5:3DCA76A9B9D101A4E18BD54A603A4984
SHA256:F16790043FDD3B7D704CD76025A69427A9CE19EA8E56509BC60259BD22DB9EB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3740
irsetup.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?43bc00670cb748e7
unknown
compressed
4.66 Kb
unknown
3740
irsetup.exe
GET
200
23.53.40.154:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMVFUoz%2BDY0lSLjAL1D4bfnvw%3D%3D
unknown
binary
503 b
unknown
3740
irsetup.exe
GET
200
23.212.210.158:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3740
irsetup.exe
66.79.209.82:443
install.api.stardock.net
TELNET
US
unknown
3740
irsetup.exe
67.27.235.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
3740
irsetup.exe
23.212.210.158:80
x1.c.lencr.org
AKAMAI-AS
AU
unknown
3740
irsetup.exe
23.53.40.154:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
install.api.stardock.net
  • 66.79.209.82
whitelisted
ctldl.windowsupdate.com
  • 67.27.235.126
  • 8.253.95.120
  • 67.27.157.126
  • 8.241.9.254
  • 67.26.139.254
whitelisted
x1.c.lencr.org
  • 23.212.210.158
whitelisted
r3.o.lencr.org
  • 23.53.40.154
  • 23.53.40.123
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Stardock.Fences.4.0.7.2.x64.Multilingual.7z