discordrat | 4bc07dc7d54350b70913815ce1e64e7de0a4a553f98c329d9dfa102393596c60

Resubmissions

05-01-2025 06:16

250105-g1f9vaxlbr 10

04-01-2025 00:55

250104-a964asvmep 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fischV2.02.exe
Size

78KB
MD5

4f659af6caa703cd8780a4a925cd849e
SHA1

73a3695830bb58b6f8d632bdf5a29418b966f6ca
SHA256

4bc07dc7d54350b70913815ce1e64e7de0a4a553f98c329d9dfa102393596c60
SHA512

5c852b9128e31cf44dab3443524cb81a52f6b570cc6b594b43469e2b94d93539dbbc5f07f4ddbada11fb7d54860cce2f6b43e724adced3f3c8f451da2f29b244
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+qPIC:5Zv5PDwbjNrmAE+2IC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMzE2MTk4MjQzMzQ5NzEyOQ.GmrYkf.Va-lbgJHpsxO7N5MLPC3bQrsddsoShr2_MH-C0
server_id
1324840093432680478

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133805313772139727"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a77d67f395fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce914e7f395fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004356537f395fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bca877f395fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004f36f7f395fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c93ca081395fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000017f175529918db01faa903a1a118db0103e1f58d395fdb0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\NodeSlot = "9"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000001000000020000000300000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000030000000100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\MRUListEx = ffffffff	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	fischV2.02.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1436	2664	chrome.exe	88
PID 2664 wrote to memory of 1436	2664	chrome.exe	88
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3676	2664	chrome.exe	89
PID 2664 wrote to memory of 3748	2664	chrome.exe	90
PID 2664 wrote to memory of 3748	2664	chrome.exe	90
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91
PID 2664 wrote to memory of 2224	2664	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\fischV2.02.exe
"C:\Users\Admin\AppData\Local\Temp\fischV2.02.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb74facc40,0x7ffb74facc4c,0x7ffb74facc58
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2088,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:3712
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff744664698,0x7ff7446646a4,0x7ff7446646b0
    3⤵
    - Drops file in Program Files directory
    PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5188,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5380,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:2
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5172,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3292,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5320,i,11145531655372301736,17482828345106099168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2044

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
PID:4260
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\29b43078-1e76-4196-a1fa-89219cd58f74.tmp

Filesize
231KB

MD5
57c2500faf82398460feedcd724f722b

SHA1
3502f75d030269115df6a478b4e6c9248a7b90d6

SHA256
4e9a9ef033a3ceaef84f7b564c7597e38c7cf9d24f577864315967674b993cc7

SHA512
177367b65114508bcee0d0f3612c08186aecd0ef218073f919030b77d003b9e32c515de958b94cc7b73bd37ad4d548108c072e6105d878d46d94d3de891372c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
124bbefb2e45e116a010ad9adaefe5c1

SHA1
eef7bdfec4ba5d1fb23d8e022407919e8efab0f0

SHA256
268fa45a481f227102130bb03a54b0f47914f1a70bb634de2f0752e4b109ef9d

SHA512
9f730b82b5d6cb688690659f545b2ee017d139f8ddb817b412f50aa566a0e9d253d208ff03d880b1e78f2613af44a83d8d5c1ca3244545353d881a88dcb054c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
5f3a7042d76a34aa5981bbe7ee8427d0

SHA1
e252efa0f7278afdc7deb1b4ec1ebb53dba83986

SHA256
884840dce5a7f189937561c42599fe2e94565cb5dacc96d7a2d213558209e6bb

SHA512
8a363b423a7683395cb1534d5ada1a8b5846f5fb135c4266be19061ae3eacedef1c4ed594724ae05c7d36a066c416674f9d3e6d37480e481af953f543b6ee081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
57eb68ee3f421ce3f02281f92d345ea0

SHA1
8ed67247f1aa77aa2779aa0fe58b548e8a3f6900

SHA256
770d15bf59b0d356a77d0053879a6046a981e79d8f6d633c8cd00c675d048b35

SHA512
b0f1d37a89029502f3679a3eca342904c3bea2c6f09033ff8191c2854df8445ea01fc74fa8b5573cebb0c1a495b00718785695cbe000ee623194398ccacd7754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
fe020c79a7c4211bcb65e0633bbc7903

SHA1
85f6ffe04a355fa8ac3e2e387cb1259ea4f363a5

SHA256
48375a91ecfc9affbfc2cdace7865cc367eac989bfe4eb87dd8d431bcdf3b7a5

SHA512
24713e29d8eeac24e34f60a6440500f95b229fe02132b79b437d94aa2e5a2eacb84560ee125834ba5035e84d6a9546b8736aacdacf87c39c3da903188c512973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
266665b3fca1d1aa32a386dfc4f1ac4a

SHA1
6f83d31f2580c38608b4c71831f29367be5a73e2

SHA256
df936f8f9480f020bac4c337db8b2b58422551a33034bf51cf0a177ce7649767

SHA512
f30615459c368ec131aef748fe0f7436ab4721e847c4b34b0babeb88b68d8cd622ce9f19015aa05485e80be8f0962f77addba9bbf52a22f8ae874ae60f52eb61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa1194db86995dd3fe1006d442f07805

SHA1
8c496cb92a84a69621e21b02fd79cb06fca02e61

SHA256
8142e31f6f26d1817508491c72f7bf10e843d913ac6b8cf9686d60cbb669162a

SHA512
5349df411e7b4b71297532dd0d8543c25d843969bb7d4ceab677211ec7966c1bb4fde81cb97b437cc0e1ab07b115f29cf00f323f73077cc5a3bab5121801d9f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f24dfa037c929d8b458b1aec7007000d

SHA1
65ef0b226bcad6a50dd4be245848b0f06516584a

SHA256
a80e8c02d51e578c9b42daf583e082e0f2a0d109cecc7814178b01cdc8d70d27

SHA512
49a35ef683e84ece4594e752ac52e929e1648a17fe37f909a3c465cd97dd4880686c79cb5126143c107c9bbcd4480f8b2c0b9bc003d14bb61560ef4e08b081a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
647650199800fcf7e6dbfd6e7dd8f62c

SHA1
a3dab15910ac107cc3797839093e30e31befda0d

SHA256
58939010be63fcb0aa9dd08932bc9d85aa65ec48d103803bbd49b82df6a30e47

SHA512
eface2b20513bc233733092fd9afd0c5a7a51855bb144ffe68d27b8324f0e460d0eafb3058b161f6aba0a51cfdaab754f2c5bac58be44bea4dbf6e1a9c146b49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d7e8db8d115e98a82fd293a19ce2bac4

SHA1
05965b941b9517f9564ab4a95f25459e9086c674

SHA256
c0cc7366d5b41a6cbd3f062a4858e6b66a6dee0d867ce49c3e772ec1e63cc10f

SHA512
a1da5d79b5260e9c7c99f3d171698f9bd3a3800c0a5a1923cc8c956d071b947e69fd18c85c5445ddd0255753592f57f0575628d60906237e4559b3cafcafb070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a21dd3b1dc02c3471ff21bca014a8f9

SHA1
981bb1bbefd0caa1b8a631f15c6fd46c4ecf9e18

SHA256
8d871f07318e4a4caf8ae84697fa99f7b65029fc7aa71b4f397d77a3ca9103fe

SHA512
6c6dbc7f3d2f3caeb375828765844e173112e50aa085ede5fdca9ff4f565cd5ff35ddc9cab4119cf56c21a7e06186b83d7df145a8f091a4c4b0e4c32dd2dc5a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c351176eeac3eb622ac13faee2ed7c27

SHA1
8e37d5dbcaf68499ef13a88c54d24b26ee90f271

SHA256
0d2fed02bc9e66c350ddf18dc05d76fdc730c7307aa7a204509ab37dd7a99d92

SHA512
614f865dda6f5c48e49e4ddda89da17024b234e121095eae9b731baea1a88c4b0423e1e0e8431237b3b616c776ce7a8b7f2f05b7255b90d8f8451df7df9bf762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
165507f4358097be4a31057fbd1485b3

SHA1
fb8b7c9a86062f831c4b36d775f797a7faec05af

SHA256
fe7043e69d0f071a7d3fc13aab84d3d6db86c1c4a86832742dfeff73909401c1

SHA512
4ce960e66bef761bf5821d966387e3ccd7e079cb9a6634547884186f608bc8a4c76778a705e68215fccded0646e94c92090d4461d56ae14709b107237989c047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6ba91cf280c4fb04fa0bb1a967dbead

SHA1
aaf1124fc7411059894eb8fe25252ce102d1314d

SHA256
775827a6c913ca2f0cf0f75380ae59e6da29b81d81100bb4a8fdef2ff9094b7a

SHA512
2ce148f7682dfcea2ab7b0713a119a74b3a34e5d4a8d224b77d9c5265f26b6920d4ae00df1850c0ae50f8a5c605d979140090df88d247710de066b187424d4e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
27f4754a20ffaf349c2a1fb1e32923e1

SHA1
2f10d4f28415b337f1017a63de05ceeaca36cd7a

SHA256
1b0e583e2d45352276b3e92f3a007d7b0b190da50538bb251635a757820ce14f

SHA512
e7c43d0164446da3ece6079d71f0e55bc78caf233fc50c4530ece06f93b6f8c1151002dfab4ecd679055004fa947a384809154bb6a40a1999df3507ea675fcde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8d758d57696f7d0b22f700b1231e92b0

SHA1
83a4bf16f7586df724b55b0d62331cc63443cf6e

SHA256
76923994e77c1980f821c9708a9b817ad2f188823eef1683ef322b29c9de32a1

SHA512
3ffc656278738033de85ef1b0a98a39e60664e5aeef05527ebf74c3752d70123935af2f3fe3e319e9ec4741b191ab238587cf8775a4a08b67b37f8f7b22b83f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b266038b4e1b1309bbbc78c0d6a402a9

SHA1
123f4f2fa0688e7bd03037b26c3ff07a00664727

SHA256
54d4d7d3daa812fe1d9f98e73544ea1b24471f7c3015ba2f3a4c45eb96100e17

SHA512
7dbcc9dd43a3adb5bbd3f1d58ee44b8e6386774830f6367c830e745815d245e474ada6733354a80eb305aaaed3a4a90c34db44b4984fc7ddb51bf9c2e13041dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2664_1704514277\7249f635-6809-4ba2-b7c0-818b3786d38a.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2664_1704514277\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2040-587-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-598-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-611-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-612-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-614-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-613-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-608-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-585-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-586-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-610-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-588-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-590-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-589-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-591-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-592-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-594-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-595-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-596-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-597-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-600-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-599-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-609-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-593-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-601-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-602-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-603-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-604-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-605-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-606-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/2040-607-0x0000022BA4D40000-0x0000022BA4D50000-memory.dmp

Filesize
64KB

Download
memory/4260-583-0x0000023DCBC40000-0x0000023DCBC48000-memory.dmp

Filesize
32KB

Download
memory/4260-579-0x0000023DC9010000-0x0000023DC9018000-memory.dmp

Filesize
32KB

Download
memory/4260-547-0x0000023DC4A20000-0x0000023DC4A30000-memory.dmp

Filesize
64KB

Download
memory/4260-563-0x0000023DC4C50000-0x0000023DC4C60000-memory.dmp

Filesize
64KB

Download
memory/4736-427-0x00007FFB768C0000-0x00007FFB77381000-memory.dmp

Filesize
10.8MB

Download
memory/4736-0-0x00007FFB768C3000-0x00007FFB768C5000-memory.dmp

Filesize
8KB

Download
memory/4736-32-0x00007FFB768C3000-0x00007FFB768C5000-memory.dmp

Filesize
8KB

Download
memory/4736-4-0x000002A6735A0000-0x000002A673AC8000-memory.dmp

Filesize
5.2MB

Download
memory/4736-3-0x00007FFB768C0000-0x00007FFB77381000-memory.dmp

Filesize
10.8MB

Download
memory/4736-2-0x000002A672EA0000-0x000002A673062000-memory.dmp

Filesize
1.8MB

Download
memory/4736-1-0x000002A670640000-0x000002A670658000-memory.dmp

Filesize
96KB

Download