discordrat | hxxps://s[.]neurosama[.]ai/attachments/1324648543721361449-1324648543402725396-Imagen-loro_1

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://s.neurosama.ai/attachments/1324648543721361449-1324648543402725396-Imagen-loro_1

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNDU1MTY2MzgxNzU5MjgzMg.Gsv4Af.87VMMw-6giEs1pl29CsssUr3cLvco6RhvCUymA
server_id
1324552691812405278

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	1324648543721361449-1324648543402725396-Imagen-loro_1.exe

Executes dropped EXE 2 IoCs

pid	Process
4836	1324648543721361449-1324648543402725396-Imagen-loro_1.exe
4656	backdoor.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
964	msedge.exe
964	msedge.exe
3804	identity_helper.exe
3804	identity_helper.exe
4388	msedge.exe
4388	msedge.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4448	OpenWith.exe
532	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	taskmgr.exe
Token: SeSystemProfilePrivilege	532	taskmgr.exe
Token: SeCreateGlobalPrivilege	532	taskmgr.exe
Token: SeDebugPrivilege	4656	backdoor.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1612	mspaint.exe
1224	OpenWith.exe
3532	mspaint.exe
4448	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4564	964	msedge.exe	83
PID 964 wrote to memory of 4564	964	msedge.exe	83
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 3276	964	msedge.exe	84
PID 964 wrote to memory of 2060	964	msedge.exe	85
PID 964 wrote to memory of 2060	964	msedge.exe	85
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86
PID 964 wrote to memory of 4300	964	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://s.neurosama.ai/attachments/1324648543721361449-1324648543402725396-Imagen-loro_1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6b9246f8,0x7ffb6b924708,0x7ffb6b924718
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,16342756863724922403,12716658279448427358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1788

C:\Users\Admin\Downloads\1324648543721361449-1324648543402725396-Imagen-loro_1.exe
"C:\Users\Admin\Downloads\1324648543721361449-1324648543402725396-Imagen-loro_1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4836
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4656

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:532

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loro.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loro.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
ad9270f0215bac6b9911b281d7e33e32

SHA1
b1bccb79e9764a29937e459a9cd29e7b0b694edd

SHA256
0f4e096292f7f2ea3b242887524747e5970dbd384d0b4b17f09b577217fe0389

SHA512
652b36de5be28c12cff45df2796d2ea0ca7879bd85ce036e3b4644aa2fec858a57f74382cd1be581025e16f3db711f39926f9b7af40df820f6c409bfce0cef37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
254554d8f015cdb4c7e6313a6301505f

SHA1
1ae123f304d635877939ba5ab12e77acf7875e08

SHA256
a6a68081a6dea7b4ac0aa0a2bb6ef2b16de900cfdce5a5e61b3716e85ba2b1e0

SHA512
96247be5a9831bc7d9bad18be9f3301f99e0463ca3cf7287104c72aa21c38ae904ef4091d445c176e0e359e20c79da065567fa6303e3e25206bbf5fc853e61df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5eb66ce434f4757f5228413cd085ad69

SHA1
4d624d6cc4116da5b5caef1c5bd7068c05b8061b

SHA256
cb22d9f4a728f2883ef62008992fe5c6b528e5c3e0b74c982ee4ee3573fea6aa

SHA512
af803b256bd9ec686028bf5827b533f9992298dde6640d4a446d52b2d29c15e312ef0bc3bde1ed792f694df057fbf92dbf2aaa3008e3f0aa1d572b179f77e5c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46708fa8377d2dd71d490f80ea99cd42

SHA1
91d45c46ef8de22d4fb23a9d32fd66d00eb8a839

SHA256
188b5b93852d168de0bc291dd5e054ac510f234be3d9925c136cdb2ea38c4e46

SHA512
165f33f9c166faa749c9af85af2eb72aa0f544e36c90db224174dbafd753b0d01d18e932c185c6e11323cbafe267b9b59b3b5d783454854293dbbf656145319a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b8d517b26487396cc5d3ed25a440b4ab

SHA1
47505219226893148f1ef3c9da798e40c7ac5ae8

SHA256
4f4e4d111310ab2bdcc344198dff32831cbdee6900f37d5c966234f62531faeb

SHA512
e6adf5b9e2c876bc1e1cbb296535fb52e2b70f817f3cf3ae6f444d627f439e495b633bdeda9e977aaf59b1cebceaf589e7afebdf581c3277e8018f5a4e796cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loro.jpg

Filesize
9KB

MD5
d8072074d2376d9ebbd6175df80f88fc

SHA1
6c1a49a0b9036be96fd4c79766ab8abc8e46ec7f

SHA256
38e2c52d0606d72b04d10202aeaaec44c09e22bc801f0f6ca5ffb69a6f732fa2

SHA512
270da0085cddf6a585a4b9322f6e877f0f7d07d859ca611176c6fe1b3e010ca41379b9973821b22008324ee03404346d2ce5c1512f9cac14785ab36d05a78b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
dfdb4e31afcca54bbd536d1ff9f378c3

SHA1
88f973a381b342cb4bfd0952cd4985d83f0032d1

SHA256
9faf3b2adc648c52ed8f3930475cd2e75b5b415d50fb1b5d865c3ef15c77fc02

SHA512
f26d29f9c7433e82bbb3e99b41581689e9b487ea0ed61ae663f65bc28b705a7c1051a766c405394ee0d4a056d3a02a0c84fdebb307ac232d765c7e710dfaf207

Download Submit
C:\Users\Admin\Downloads\1324648543721361449-1324648543402725396-Imagen-loro_1

Filesize
709KB

MD5
9141efe15618fa406c09c030e5595f9e

SHA1
9cef69b36e557260b20298f48d11148cc9b83230

SHA256
c41c0a3aff41ec17de75cd8f31f268f5063693743eb4639c907042574b3724ca

SHA512
4a23ca9a5d35b289d9b3db7433ed9d7345ab4154e49f5bb8a0df995f28fa3ac75d25114c2ee0ba6352d80b779c9e0e50b2644e31f801a71ec8075fdb32e668ef

Download Submit
memory/532-167-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-163-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-162-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-168-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-158-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-166-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-165-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-164-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-157-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/532-156-0x0000013405D00000-0x0000013405D01000-memory.dmp

Filesize
4KB

Download
memory/3988-198-0x0000025808B70000-0x0000025808B71000-memory.dmp

Filesize
4KB

Download
memory/3988-183-0x00000257FFF60000-0x00000257FFF70000-memory.dmp

Filesize
64KB

Download
memory/3988-188-0x00000257FFFB0000-0x00000257FFFC0000-memory.dmp

Filesize
64KB

Download
memory/3988-194-0x0000025808AF0000-0x0000025808AF1000-memory.dmp

Filesize
4KB

Download
memory/3988-196-0x0000025808B70000-0x0000025808B71000-memory.dmp

Filesize
4KB

Download
memory/3988-199-0x0000025808C00000-0x0000025808C01000-memory.dmp

Filesize
4KB

Download
memory/3988-200-0x0000025808C00000-0x0000025808C01000-memory.dmp

Filesize
4KB

Download
memory/3988-201-0x0000025808C10000-0x0000025808C11000-memory.dmp

Filesize
4KB

Download
memory/3988-202-0x0000025808C10000-0x0000025808C11000-memory.dmp

Filesize
4KB

Download
memory/4656-181-0x000002846BF90000-0x000002846C4B8000-memory.dmp

Filesize
5.2MB

Download
memory/4656-180-0x000002846B650000-0x000002846B812000-memory.dmp

Filesize
1.8MB

Download
memory/4656-179-0x0000028450FD0000-0x0000028450FE8000-memory.dmp

Filesize
96KB

Download