5d23bb56ae025619efa102acbaf07801ceb76f457ca12edd3cbc89151e4339d0

Analysis

max time kernel
213s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
submitted
28-01-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LordsBot-Release.zip
Size

116.5MB
MD5

de4d5c35e196b53b20929f9fd7a1fd62
SHA1

e0a1979220474e5d04b364be0c7b4afa99c73577
SHA256

5d23bb56ae025619efa102acbaf07801ceb76f457ca12edd3cbc89151e4339d0
SHA512

3c9614a6fba6e5a89acbabe71fa19041983e0b9477497953f903cf120347cf63e05bd72ce2fa9bc36abac2442a2ee9a303e62a48515dd1f743369acbc00eba3a
SSDEEP

3145728:uaz+M25Gb0RfUEnBWPXtJrrw9kBCVtI4oKad4/KFz38NxX7wE:uaqTJCMutROkgVtIbbGUsXV

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Lords Monitor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lords Monitor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{AE3EACCF-14B3-4CFD-9F4C-522FA350A999}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	Process
3228	msedge.exe
3228	msedge.exe
4296	msedge.exe
4296	msedge.exe
4596	identity_helper.exe
4596	identity_helper.exe
4244	msedge.exe
4244	msedge.exe
4620	msedge.exe
4620	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exe

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 4296 wrote to memory of 264	4296	msedge.exe	96
PID 4296 wrote to memory of 264	4296	msedge.exe	96
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 1240	4296	msedge.exe	98
PID 4296 wrote to memory of 3228	4296	msedge.exe	97
PID 4296 wrote to memory of 3228	4296	msedge.exe	97
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99
PID 4296 wrote to memory of 3740	4296	msedge.exe	99

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LordsBot-Release.zip
1⤵
PID:3252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffbcee046f8,0x7ffbcee04708,0x7ffbcee04718
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=audio --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=video_capture --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,4480087202665584367,864085945548426856,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3116 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1124

C:\Users\Admin\Desktop\Nueva carpeta\Lords Monitor.exe
"C:\Users\Admin\Desktop\Nueva carpeta\Lords Monitor.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2566f86d2257cce05a5938f26d313895

SHA1
5434b597e050878a56cfda1328b72515b922d81e

SHA256
af07319033e8526f03da60615125107cb512dd039c4f20cbda40d544a6a58dd6

SHA512
e36fc5a864b6734c284bbfa57f7b70e5b3d11592813ff7dc8698ac7da3fdc64b404b2d36a1c60131f97a766633a52d9d0878e713cf589d1604694a8cf980456f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6c15e4f9086769547ec5f1cc01dd6ade

SHA1
25313da619dd447d18255b721b3acf4ace0f7b60

SHA256
dd5e7dd302eec84f44b522dc07b05bc795dcd5d646da02057a9f8fa5021a57fe

SHA512
43085adc4e2e5d81c6eb2c3196125da5b8c66021d8f073048633d9d0c6bf8233c13e73c1bbd60c58920f7563f83a7e566745bb67e7bf89cb064cc5cbf59b4097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
551340d1bca7c95edb7867b2cecc5887

SHA1
976b55866773a58b2cf5c73248dbe725de24bfb8

SHA256
30241c8f2a7dc571d04b02011f7c24f9f18dfa4ee3fd0a82299a93df54b648d8

SHA512
1b49e8dd5966e427160119dc126ae5f82cf2c91c6418aef5cbeb74bcd08ebce538e7228c4c3cbbf5f3724884e19172f14f52ebe2fe7b0a550c9345304168e640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b3460869a2683ddf879e14a0d507244

SHA1
de348d6c5143521b58ac113613e3b2319e593132

SHA256
ce920e54d9bb77d20ec334a340026f2fadd2eaf9900c68d1df6ec2e6748929c4

SHA512
3d14f8140f2242a48ae1858215c43a040bfb6bd8a80061127d0bfbac558210b94586c2bebb88ad652fa30121398c4a1a91f2c83eb7270cef46cb66b26bf3d025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b9b3fe038fb32e14e785693ec6b6b4a3

SHA1
2bb426462c382cb7effb6ce35ff8cfc2125cdc38

SHA256
654b8542b985f5fcb38b888fbc9588722ee4cf0041f09978500d9489b5db2d8a

SHA512
c9b70e885f392e54e3b7f50f445d3aaa15b5532fe42646b095caf47e4a28b8374491fda8a063e8e9b7cd91f60237b7bad84b293cef85db07118838eca4cbd88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5e4c2b9cdb6fa373f68268f2947f0ac

SHA1
1f44f1a7b74a87e4b804f9b34ba0c4eb6cec9267

SHA256
39771eafb6486fcc989f92e5aaf72e38abc46553885ffa6bc227d10fd6fb5b7e

SHA512
35635777b4e6a4e6aaf561de7dd5ad939c6bb525ac912282c15fc52aaf67e8f438dabbcf45a2d42d6202930c8ca36a6d24be106d1a873d6691d4e10af9130cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41c926af9e08e64f52f7f811cd99bd82

SHA1
eb03d6930c5a92da56429740b99c50153a7cf57e

SHA256
fc79ee286ddca2ed190ffa4fc3416fbbfbf294a45485b48270b7d39dbf403e29

SHA512
32ceb65ae0701fe8f0b46d8e9f5e6ab51aa9ebaec8c6cb4698c396556cbb3fe04713f608639e98213c8495370d4309cf9bfadad3edfca30e47018feace10440c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5206814f01e6c145a7b77ced325be155

SHA1
e8425b43a3c5a259b73caa4f3335fb3d1cebb89c

SHA256
4db0a3756facb38fa39bf68d2d7fdf7864b023ed9975e7d38f489da5d1df754a

SHA512
cf970c952277fcc895ad0edcbb1fe043093042338fdf7da402aeee0d9314a9e4e9c5f521f34d47df09b0c24867a00f36f9af6473b1feb13c071c75c20022280c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
986084e4a737414b959846e7ace5c2d5

SHA1
352e32b7170b6c89229397c22607311537c5d4aa

SHA256
7c25ef56424b9e2c3cbe4e92c21e83f426de8671d5cf3f49f8ee478e62e87207

SHA512
7f81f064d625eec688bf0c99bff90991d7d1f316e27856eb731f9e0951b8c43a443e01c1f48e4d6dd7700bc3914ef64fe2105474001f710fe366f3a5bbbb983c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bebfb264c41befdf470e1f60c1e65290

SHA1
435c5351294308a7cae1d798c06fedf3851066d3

SHA256
41f5acb3c51431a820df106090d752e848918ba6fcdbd5e7533c6174a80a7366

SHA512
dfd94a365680693eeec570de32765ba93b9df378af1245fd2266b6362704c17d4cef1c481effbeaade97cd12cdb17862bd62f52a766ef77c601b76a0ff5163b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6c731fc3b2b1a2da9f6025881d29ac9e

SHA1
cbe6a67e7f260dc80d02c72316cbae667a2541b4

SHA256
879b55b96e5609a71ccd78194f7fb14a8b3a06243cf1bf79211891f60be8a01b

SHA512
9a9aafb935e2b90fc31d7ffb4fe0362007bf618e875138a1ea7b785f33271d34ec41c35ba6a5176b685be73a09b1eafec614125bb5571fae95b3220a715be312

Download Submit
C:\Users\Admin\Downloads\LordsBot-Release.zip

Filesize
116.5MB

MD5
de4d5c35e196b53b20929f9fd7a1fd62

SHA1
e0a1979220474e5d04b364be0c7b4afa99c73577

SHA256
5d23bb56ae025619efa102acbaf07801ceb76f457ca12edd3cbc89151e4339d0

SHA512
3c9614a6fba6e5a89acbabe71fa19041983e0b9477497953f903cf120347cf63e05bd72ce2fa9bc36abac2442a2ee9a303e62a48515dd1f743369acbc00eba3a

Download Submit
\??\pipe\LOCAL\crashpad_4296_WOPQDAFSROGEYKSD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4640-419-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4640-420-0x0000000000B00000-0x0000000000B6A000-memory.dmp

Filesize
424KB

Download
memory/4640-421-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/4640-422-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/4640-423-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/4640-424-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/4640-425-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download