Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 19:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar
Resource
win10v2004-20240611-en
General
-
Target
https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar
Malware Config
Extracted
xworm
5.0
should-nutritional.gl.at.ply.gg:22817
q0vjMgzmZTmKaa3q
-
Install_directory
%Temp%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm behavioral1/memory/5764-157-0x0000000000BE0000-0x0000000000C08000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5160 powershell.exe 5756 powershell.exe 5900 powershell.exe 6080 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ARES RAT2.exeXClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation ARES RAT2.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 6 IoCs
Processes:
ARES RAT2.exeARES RAT.exeXClient.exeIf it doesnt work try this.exesvchost.exesvchost.exepid process 5212 ARES RAT2.exe 5588 ARES RAT.exe 5764 XClient.exe 5504 If it doesnt work try this.exe 5148 svchost.exe 5668 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
If it doesnt work try this.exepid process 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1372 5588 WerFault.exe ARES RAT.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeIf it doesnt work try this.exemsedge.exepid process 3580 msedge.exe 3580 msedge.exe 3740 msedge.exe 3740 msedge.exe 4840 identity_helper.exe 4840 identity_helper.exe 5692 msedge.exe 5692 msedge.exe 5900 powershell.exe 5900 powershell.exe 5900 powershell.exe 6080 powershell.exe 6080 powershell.exe 6080 powershell.exe 5160 powershell.exe 5160 powershell.exe 5160 powershell.exe 5756 powershell.exe 5756 powershell.exe 5756 powershell.exe 5764 XClient.exe 5764 XClient.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
If it doesnt work try this.exepid process 5504 If it doesnt work try this.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
7zG.exeXClient.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEsvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 6028 7zG.exe Token: 35 6028 7zG.exe Token: SeSecurityPrivilege 6028 7zG.exe Token: SeSecurityPrivilege 6028 7zG.exe Token: SeDebugPrivilege 5764 XClient.exe Token: SeDebugPrivilege 5900 powershell.exe Token: SeDebugPrivilege 6080 powershell.exe Token: SeDebugPrivilege 5160 powershell.exe Token: SeDebugPrivilege 5756 powershell.exe Token: SeDebugPrivilege 5764 XClient.exe Token: 33 2560 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2560 AUDIODG.EXE Token: SeDebugPrivilege 5148 svchost.exe Token: SeDebugPrivilege 5668 svchost.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
msedge.exe7zG.exeIf it doesnt work try this.exepid process 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 6028 7zG.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exeIf it doesnt work try this.exepid process 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 5504 If it doesnt work try this.exe 5504 If it doesnt work try this.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
XClient.exeIf it doesnt work try this.exepid process 5764 XClient.exe 5504 If it doesnt work try this.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3740 wrote to memory of 5008 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5008 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 1040 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 3580 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 3580 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe PID 3740 wrote to memory of 5012 3740 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bd0546f8,0x7ff9bd054708,0x7ff9bd0547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27797:130:7zEvent232411⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\ARES RAT2.exe"C:\Users\Admin\Downloads\ARES RAT2.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 11803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5588 -ip 55881⤵
-
C:\Users\Admin\Downloads\If it doesnt work try this.exe"C:\Users\Admin\Downloads\If it doesnt work try this.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x524 0x4f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD56376e412b719ec42d766d04a398aec95
SHA16308115f73286df17278c4d44c7cb779a100a63a
SHA25612e593c818fe90b5e5520803053bb2fe1e89196e5cd688b8554122e9e81fa4a4
SHA51291506d7a6f3c9dccf023d209a190e768b90715f6d0bb5b545f20178565866994c7c42520f9aea71d1f4687f1d25885ff1c5def14297bca64df519c19e8f92162
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
317B
MD5ad6063ef6354374fd73093899fa71a32
SHA1598411f480fb851193bf5d322c6825a453159ab9
SHA25678c0fa8f5e8fa36ad6eafb6286f0eb4caf9457d54d230a4099767ee51c0e8ab6
SHA512912ba2b07360117409ce1781c80de9a89531c84b7ff55d12f2a66b19dbd1775167a7530eb8807c57a74b1c822de9ab62179d009b6713d0015b29e1e586b7e0e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD543d4cc41a89f365c2208f447b2d96f52
SHA10932639c6edc5326f47d674e0340099ef9f0150f
SHA256ab348cddf74888a50de2ea2f19ac5213ced9b4e701d224109b10761be8fb2576
SHA512fe417d907597ae06d6236f6902eae59434badc001013448c8e5132963b5e1f2ba2e82709c432b4c9281fadcc5be7cabea024f2f5af6e9605428cf921f511d941
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5eb21c0edf1a3b55d8b3136e41643553a
SHA18982e7f651a15388267c78a0ef881a8eaa06ac19
SHA2564b259ba144273d59101bc7830bea31d67b808750b4ba5744cfc23cbe283d10aa
SHA5128e3af6636f163c77c68178c33e674211b14efdf53c89898c1df54f81a38c00fd880148cfbbc7d090ec5c04360d57c3e19efc9c4d646884cd84ae1cc44bb47118
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fc6cc3ffa7e6aad4e64daebc7dd8ca0c
SHA134d5325fe6e8024966775f786a2abb5f6218dbcd
SHA2567e14689300ad45aef9242eeac87715ff53ed06ce1d7c51b271fc54daae89a4d0
SHA5126a49c406e03d174e54053a0c304ed5cf74c35f42c27b03ec6c532b32305b37f765b76b5ecaac51e1f2c0d228f048b1408fc30b453a353935e4adbb3883df80f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e105e5d556d70660607dfc614ce68007
SHA1fc6c17f0bde9c266b02bca74035bd85f675c87bf
SHA256fef999034800fed5e04cb0a677e9f3281fe923b05f6bc271d2d8f807be7e1fbd
SHA512ab3727092a6c4e47cc1a7398f7ad2029e33cdbe98bf22de1211b7a350908aaabac43631f6e0d16baeffecfd2d03669bfa4811067cc4efa7a842416a8c5548eab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD598baf5117c4fcec1692067d200c58ab3
SHA15b33a57b72141e7508b615e17fb621612cb8e390
SHA25630bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d
-
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.59444.6\x86\ssapihook.dllFilesize
57KB
MD59e7f44b8f1512476aa896e977c58830b
SHA1eddd878d9e16502ee1eb7f583dd04e01b458ba42
SHA2568e6195b50bb0d22e4d346263f708f166db726c84884fe78a6bb477caed19e708
SHA512ea52b71dc58e081d0e6c1336e7bf8422d7240c8a502c790075c6ebfe88f8ff70cd2bf43d34b8c604c08d867202359f8bd35c3a0b8d2eefefe826ccd2e5c8c802
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeFilesize
139KB
MD57236c15c27e7e63a179e4fc935e2aaf7
SHA12eb5ac67a7942a2b7b9a64942b4c621367f61881
SHA256e4f859e199ed7f9933f7da654947cf04ec6c91367d53f6f0fc31f8b1872ac9a0
SHA512845b9a6abbc9e4d5fb2121a7f1ccac892557d7c2fa57752226264e268254483a0b4184e3f0398c0fc22a009b81b9e7cdf6071146ab18afd563eabb13dabfde7f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyslrzyq.1h4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\SkinSoft.VisualStyler.dllFilesize
1.0MB
MD560ac512e63a6b95eb37cfd530a01b94e
SHA14b5a1fa50008439ac074d732447ab9032a157114
SHA2569f3e7ea22d052fee0e5be8cd904ac4425f3840df7452c760d5cc5357830c394e
SHA512a6cbf2f1f6eedcb142aeca7218334dd16058b9f643e51cee4771e1a0f7124676361deac0c48d61468296e88035e4dd49b55fd139b80ece54c86c0338bdedd681
-
\??\pipe\LOCAL\crashpad_3740_RQRDRGHVWUTFOBLFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5212-133-0x0000000000760000-0x0000000003CCC000-memory.dmpFilesize
53.4MB
-
memory/5504-235-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/5504-234-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/5504-291-0x000000000CB60000-0x000000000CB82000-memory.dmpFilesize
136KB
-
memory/5504-244-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/5504-243-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/5504-219-0x0000000009980000-0x0000000009A8E000-memory.dmpFilesize
1.1MB
-
memory/5504-220-0x0000000009EC0000-0x000000000A214000-memory.dmpFilesize
3.3MB
-
memory/5504-242-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/5504-227-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/5504-228-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/5504-229-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/5504-230-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/5504-231-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/5504-232-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/5504-233-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/5504-241-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/5504-240-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/5504-236-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/5504-237-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/5504-238-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/5504-239-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/5588-159-0x0000000008D30000-0x0000000008DCC000-memory.dmpFilesize
624KB
-
memory/5588-160-0x0000000009380000-0x0000000009924000-memory.dmpFilesize
5.6MB
-
memory/5588-161-0x0000000008DD0000-0x0000000008E62000-memory.dmpFilesize
584KB
-
memory/5588-163-0x0000000009120000-0x0000000009176000-memory.dmpFilesize
344KB
-
memory/5588-158-0x0000000000DE0000-0x00000000042E4000-memory.dmpFilesize
53.0MB
-
memory/5588-162-0x0000000009060000-0x000000000906A000-memory.dmpFilesize
40KB
-
memory/5764-157-0x0000000000BE0000-0x0000000000C08000-memory.dmpFilesize
160KB
-
memory/5900-164-0x000001FAE2CE0000-0x000001FAE2D02000-memory.dmpFilesize
136KB