6edf58e55464a347de7f6aa1cee75198cf1d89f399665ca75ebbe891088761cf

Virtualization/Sandbox Evasion

T1497

Processes:

EpwZi3ETPnXZ.exelolicor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EpwZi3ETPnXZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lolicor.exe

Executes dropped EXE 5 IoCs

Processes:

theruez.exedcpfromhorizon.exedcpfromhorizon.exelolicor.exeEpwZi3ETPnXZ.exe

pid process

4756 theruez.exe
8 dcpfromhorizon.exe
3316 dcpfromhorizon.exe
4652 lolicor.exe
3036 EpwZi3ETPnXZ.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

dcpfromhorizon.exedcpfromhorizon.exetheruez.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharpOD_Drv\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\hdf\\x64\\plugins\\SharpOD_Drv.sys"	dcpfromhorizon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharpOD_Drv\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\hdf\\x64\\plugins\\SharpOD_Drv.sys"	dcpfromhorizon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharpOD_Drv\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\hdf\\x64\\plugins\\SharpOD_Drv.sys"	theruez.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

lolicor.exeEpwZi3ETPnXZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lolicor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lolicor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EpwZi3ETPnXZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EpwZi3ETPnXZ.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lolicor.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation lolicor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	lolicor.exe

Loads dropped DLL 63 IoCs

Processes:

theruez.exedcpfromhorizon.exedcpfromhorizon.exex64dbg.exe

pid	process
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3568	x64dbg.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4652-194-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/4652-195-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/4652-196-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/4652-197-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/4652-198-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/4652-199-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/4652-200-0x00007FF6ECD80000-0x00007FF6F02A9000-memory.dmp	themida
behavioral1/memory/3036-216-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida
behavioral1/memory/3036-217-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida
behavioral1/memory/3036-218-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida
behavioral1/memory/3036-219-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida
behavioral1/memory/3036-220-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida
behavioral1/memory/3036-221-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida
behavioral1/memory/3036-222-0x00007FF6586E0000-0x00007FF659398000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

lolicor.exeEpwZi3ETPnXZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lolicor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EpwZi3ETPnXZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

EpwZi3ETPnXZ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop\Wallpaper = "C:\\zalupa.png"	EpwZi3ETPnXZ.exe

Suspicious use of NtCreateThreadExHideFromDebugger 6 IoCs

Processes:

lolicor.exeEpwZi3ETPnXZ.exe

pid process

4652 lolicor.exe
4652 lolicor.exe
4652 lolicor.exe
3036 EpwZi3ETPnXZ.exe
3036 EpwZi3ETPnXZ.exe
3036 EpwZi3ETPnXZ.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

lolicor.exeEpwZi3ETPnXZ.exe

pid process

4652 lolicor.exe
3036 EpwZi3ETPnXZ.exe

pid	process
4652	lolicor.exe
4652	lolicor.exe
4652	lolicor.exe
3036	EpwZi3ETPnXZ.exe
3036	EpwZi3ETPnXZ.exe
3036	EpwZi3ETPnXZ.exe

pid	process
4652	lolicor.exe
3036	EpwZi3ETPnXZ.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

x64dbg.exe

description	pid	process	target process
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe
PID 3568 set thread context of 3844	3568	x64dbg.exe	SppExtComObj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4008	4756	WerFault.exe	theruez.exe
2236	8	WerFault.exe	dcpfromhorizon.exe
2064	3316	WerFault.exe	dcpfromhorizon.exe
3712	3036	WerFault.exe	EpwZi3ETPnXZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EEBEFA0D-125A-11ED-BE0E-F652DE9C8056} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EEBEFA0F-125A-11ED-BE0E-F652DE9C8056}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 39 IoCs

Processes:

x64dbg.exechrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	x64dbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	x64dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "7"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	x64dbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 56003100000000000255c060100072656c6561736500400009000400efbe0255bd600255c0602e00000073310200000006000000000000000000000000000000893d9b00720065006c006500610073006500000016000000	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 4a003100000000000255c860300078363400380009000400efbe0255c0600255c8602e000000063202000000060000000000000000000000000000005e996f00780036003400000012000000	x64dbg.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

theruez.exedcpfromhorizon.exedcpfromhorizon.exex64dbg.exe

pid process

4756 theruez.exe
8 dcpfromhorizon.exe
3316 dcpfromhorizon.exe
3568 x64dbg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetheruez.exedcpfromhorizon.exechrome.exedcpfromhorizon.exechrome.exechrome.exex64dbg.exe

pid	process
3100	chrome.exe
3100	chrome.exe
1800	chrome.exe
1800	chrome.exe
852	chrome.exe
852	chrome.exe
4508	chrome.exe
4508	chrome.exe
2824	chrome.exe
2824	chrome.exe
4352	chrome.exe
4352	chrome.exe
4400	chrome.exe
4400	chrome.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
4756	theruez.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3592	chrome.exe
3592	chrome.exe
1732	chrome.exe
1732	chrome.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exetheruez.exedcpfromhorizon.exedcpfromhorizon.exex64dbg.exe

pid process

4232 7zFM.exe
4756 theruez.exe
8 dcpfromhorizon.exe
3316 dcpfromhorizon.exe
3568 x64dbg.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

theruez.exedcpfromhorizon.exedcpfromhorizon.exe

pid process

4756 theruez.exe
8 dcpfromhorizon.exe
3316 dcpfromhorizon.exe

pid	process
4232	7zFM.exe
4756	theruez.exe
8	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3568	x64dbg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

Processes:

chrome.exe

pid	process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zFM.exetheruez.exedcpfromhorizon.exedcpfromhorizon.exex64dbg.exeEpwZi3ETPnXZ.exe

description	pid	process
Token: SeRestorePrivilege	4232	7zFM.exe
Token: 35	4232	7zFM.exe
Token: SeSecurityPrivilege	4232	7zFM.exe
Token: SeLoadDriverPrivilege	4756	theruez.exe
Token: SeLoadDriverPrivilege	8	dcpfromhorizon.exe
Token: SeLoadDriverPrivilege	3316	dcpfromhorizon.exe
Token: SeDebugPrivilege	3568	x64dbg.exe
Token: SeShutdownPrivilege	3036	EpwZi3ETPnXZ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exe

pid	process
4120	iexplore.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exe

pid	process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exetheruez.exedcpfromhorizon.exedcpfromhorizon.exex64dbg.exelolicor.exeEpwZi3ETPnXZ.exe

pid	process
4120	iexplore.exe
4120	iexplore.exe
4688	IEXPLORE.EXE
4688	IEXPLORE.EXE
1356	OpenWith.exe
1356	OpenWith.exe
1356	OpenWith.exe
1356	OpenWith.exe
1356	OpenWith.exe
4756	theruez.exe
4756	theruez.exe
8	dcpfromhorizon.exe
8	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3316	dcpfromhorizon.exe
3568	x64dbg.exe
3568	x64dbg.exe
3568	x64dbg.exe
4652	lolicor.exe
3036	EpwZi3ETPnXZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 4120 wrote to memory of 4688	4120	iexplore.exe	IEXPLORE.EXE
PID 4120 wrote to memory of 4688	4120	iexplore.exe	IEXPLORE.EXE
PID 4120 wrote to memory of 4688	4120	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 4296	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4296	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2148	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 3100	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 3100	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 1520	1800	chrome.exe	chrome.exe

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4120 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb22b4f50,0x7fffb22b4f60,0x7fffb22b4f70
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1716 /prefetch:2
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
2⤵
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
2⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:8
2⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6580 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
2⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6540 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=892 /prefetch:1
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7300 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
2⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6828 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
2⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,2625736206281525376,14528357623586906652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
2⤵
PID:3540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb22b4f50,0x7fffb22b4f60,0x7fffb22b4f70
2⤵
PID:3408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\hdf.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Users\Admin\Desktop\hdf\x64\theruez.exe
"C:\Users\Admin\Desktop\hdf\x64\theruez.exe"
1⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4756 -s 1244
2⤵
- Program crash
PID:4008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4756 -ip 4756
1⤵
PID:4464

C:\Users\Admin\Desktop\hdf\x64\dcpfromhorizon.exe
"C:\Users\Admin\Desktop\hdf\x64\dcpfromhorizon.exe"
1⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8 -s 1028
2⤵
- Program crash
PID:2236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 8 -ip 8
1⤵
PID:1540

C:\Users\Admin\Desktop\hdf\x64\dcpfromhorizon.exe
"C:\Users\Admin\Desktop\hdf\x64\dcpfromhorizon.exe"
1⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3316 -s 952
2⤵
- Program crash
PID:2064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3316 -ip 3316
1⤵
PID:3420

C:\Users\Admin\Desktop\release\x64\x64dbg.exe
"C:\Users\Admin\Desktop\release\x64\x64dbg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Users\Admin\Desktop\hdf\lolicor.exe
"C:\Users\Admin\Desktop\hdf\lolicor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Users\Admin\Desktop\hdf\EpwZi3ETPnXZ.exe
EpwZi3ETPnXZ.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3036 -s 656
3⤵
- Program crash
PID:3712

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\hdf\lolicor.exe >> NUL
2⤵
PID:8

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3036 -ip 3036
1⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery