dcrat | hxxps://disk[.]yandex[.]ru/d/JY1gwtKuh6QBqA

Analysis

max time kernel
134s
max time network
136s
platform
windows10_x64
resource
win10v20210408
submitted
28-07-2021 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/JY1gwtKuh6QBqA
Sample

210728-2145b5r5la

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/4240-416-0x0000000001800000-0x0000000001802000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

DCRat Payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe	dcrat
C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe	dcrat
C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe	dcrat
C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe	dcrat

Executes dropped EXE 6 IoCs

Processes:

Loader.exeDriverBrokernetRuntimebroker.exechrmstp.exeLoader.exeDriverBrokernetRuntimebroker.exeShellExperienceHost.exe

pid	process
4832	Loader.exe
5116	DriverBrokernetRuntimebroker.exe
4240	chrmstp.exe
4356	Loader.exe
4968	DriverBrokernetRuntimebroker.exe
2972	ShellExperienceHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

87 ip-api.com

flow	ioc
87	ip-api.com

Drops file in System32 directory 9 IoCs

Processes:

DriverBrokernetRuntimebroker.exeDriverBrokernetRuntimebroker.exe

description	ioc	process
File opened for modification	C:\Windows\System32\AppointmentApis\RuntimeBroker.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\Windows.System.Launcher\fontdrvhost.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\SysWOW64\clrhost\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\dmcmnutils\spoolsv.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\dmcmnutils\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\Windows.System.Launcher\5b884080fd4f94e2695da25c503f9e33b9605b83	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\SysWOW64\clrhost\cmd.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\AppointmentApis\RuntimeBroker.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\AppointmentApis\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	DriverBrokernetRuntimebroker.exe

Drops file in Program Files directory 6 IoCs

Processes:

DriverBrokernetRuntimebroker.exeDriverBrokernetRuntimebroker.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\WmiPrvSE.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\24dbde2999530ef5fd907494bc374d663924116c	DriverBrokernetRuntimebroker.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp\chrmstp.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp\39da50c021884abe4c2719ccd63276d5eed592dd	DriverBrokernetRuntimebroker.exe
File created	C:\Program Files\Windows Multimedia Platform\csrss.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Program Files\Windows Multimedia Platform\886983d96e3d3e31032c679b2d4ea91b6c05afef	DriverBrokernetRuntimebroker.exe

Drops file in Windows directory 4 IoCs

Processes:

DriverBrokernetRuntimebroker.exeDriverBrokernetRuntimebroker.exe

description	ioc	process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\f8c8f1285d826bc63910aaf97db97186ba642b4f	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\f8c8f1285d826bc63910aaf97db97186ba642b4f	DriverBrokernetRuntimebroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5104	schtasks.exe
1604	schtasks.exe
4644	schtasks.exe
4848	schtasks.exe
2300	schtasks.exe
2288	schtasks.exe
3164	schtasks.exe
1084	schtasks.exe
488	schtasks.exe
4532	schtasks.exe
4368	schtasks.exe
2952	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 6 IoCs

Processes:

chrome.exe7zFM.exeLoader.exeDriverBrokernetRuntimebroker.exeLoader.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	DriverBrokernetRuntimebroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Loader.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4460 PING.EXE

pid	process
4460	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exeDriverBrokernetRuntimebroker.exechrmstp.exepowershell.exeDriverBrokernetRuntimebroker.exeShellExperienceHost.exepowershell.exe

pid	process
1784	chrome.exe
1784	chrome.exe
568	chrome.exe
568	chrome.exe
4512	chrome.exe
4512	chrome.exe
4312	chrome.exe
4312	chrome.exe
4868	chrome.exe
4868	chrome.exe
5116	DriverBrokernetRuntimebroker.exe
5116	DriverBrokernetRuntimebroker.exe
5116	DriverBrokernetRuntimebroker.exe
5116	DriverBrokernetRuntimebroker.exe
5116	DriverBrokernetRuntimebroker.exe
5116	DriverBrokernetRuntimebroker.exe
5116	DriverBrokernetRuntimebroker.exe
4240	chrmstp.exe
4240	chrmstp.exe
4240	chrmstp.exe
4240	chrmstp.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
4968	DriverBrokernetRuntimebroker.exe
2972	ShellExperienceHost.exe
2972	ShellExperienceHost.exe
2972	ShellExperienceHost.exe
2972	ShellExperienceHost.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4988 7zFM.exe

pid	process
4988	7zFM.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

7zFM.exeDriverBrokernetRuntimebroker.exechrmstp.exepowershell.exeDriverBrokernetRuntimebroker.exeShellExperienceHost.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4988	7zFM.exe
Token: 35	4988	7zFM.exe
Token: SeSecurityPrivilege	4988	7zFM.exe
Token: SeDebugPrivilege	5116	DriverBrokernetRuntimebroker.exe
Token: SeDebugPrivilege	4240	chrmstp.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe
Token: SeSystemProfilePrivilege	1916	powershell.exe
Token: SeSystemtimePrivilege	1916	powershell.exe
Token: SeProfSingleProcessPrivilege	1916	powershell.exe
Token: SeIncBasePriorityPrivilege	1916	powershell.exe
Token: SeCreatePagefilePrivilege	1916	powershell.exe
Token: SeBackupPrivilege	1916	powershell.exe
Token: SeRestorePrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeSystemEnvironmentPrivilege	1916	powershell.exe
Token: SeRemoteShutdownPrivilege	1916	powershell.exe
Token: SeUndockPrivilege	1916	powershell.exe
Token: SeManageVolumePrivilege	1916	powershell.exe
Token: 33	1916	powershell.exe
Token: 34	1916	powershell.exe
Token: 35	1916	powershell.exe
Token: 36	1916	powershell.exe
Token: SeDebugPrivilege	4968	DriverBrokernetRuntimebroker.exe
Token: SeDebugPrivilege	2972	ShellExperienceHost.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeIncreaseQuotaPrivilege	4728	powershell.exe
Token: SeSecurityPrivilege	4728	powershell.exe
Token: SeTakeOwnershipPrivilege	4728	powershell.exe
Token: SeLoadDriverPrivilege	4728	powershell.exe
Token: SeSystemProfilePrivilege	4728	powershell.exe
Token: SeSystemtimePrivilege	4728	powershell.exe
Token: SeProfSingleProcessPrivilege	4728	powershell.exe
Token: SeIncBasePriorityPrivilege	4728	powershell.exe
Token: SeCreatePagefilePrivilege	4728	powershell.exe
Token: SeBackupPrivilege	4728	powershell.exe
Token: SeRestorePrivilege	4728	powershell.exe
Token: SeShutdownPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeSystemEnvironmentPrivilege	4728	powershell.exe
Token: SeRemoteShutdownPrivilege	4728	powershell.exe
Token: SeUndockPrivilege	4728	powershell.exe
Token: SeManageVolumePrivilege	4728	powershell.exe
Token: 33	4728	powershell.exe
Token: 34	4728	powershell.exe
Token: 35	4728	powershell.exe
Token: 36	4728	powershell.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
4988	7zFM.exe
4988	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

chrmstp.exeShellExperienceHost.exe

pid process

4240 chrmstp.exe
2972 ShellExperienceHost.exe

pid	process
4240	chrmstp.exe
2972	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 568 wrote to memory of 1512	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 1512	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2096	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 1784	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 1784	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 728	568	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://disk.yandex.ru/d/JY1gwtKuh6QBqA
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xb0,0xd4,0x7ffcc2c74f50,0x7ffcc2c74f60,0x7ffcc2c74f70
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:2
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 /prefetch:8
2⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
2⤵
PID:184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
2⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6844 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7040 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7056 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7176 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7288 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7032 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7060 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7356 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7076ea890,0x7ff7076ea8a0,0x7ff7076ea8b0
3⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7208 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7428 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7412 /prefetch:8
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7472 /prefetch:8
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7236 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6580 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6568 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6564 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6560 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6636 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7336 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5996 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8560 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8572 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,6784124359685138150,16279010389695077140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8584 /prefetch:8
2⤵
PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4888

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FreeCheatDayz.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4988

C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe
"C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverBrokernet\aoCeVNmnVor99WaOvkXEcZja.vbe"
2⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverBrokernet\dBjdNa8xoJk64QTlSRKrFKa0.bat" "
3⤵
PID:4960

C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
"C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Boot\fi-FI\conhost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.System.Launcher\fontdrvhost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\WmiPrvSE.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4644

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2288

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrmstp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp\chrmstp.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3164

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\clrhost\cmd.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\dmcmnutils\spoolsv.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ip2uZu4OM.bat"
5⤵
PID:2364

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4576

C:\Windows\system32\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:4460

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp\chrmstp.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe
"C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverBrokernet\aoCeVNmnVor99WaOvkXEcZja.vbe"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverBrokernet\dBjdNa8xoJk64QTlSRKrFKa0.bat" "
3⤵
PID:5012

C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
"C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\AppointmentApis\RuntimeBroker.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:488

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
MD5
15be1eb0d4719cd58fd3f16d317a20b8

SHA1
b3472127ebd76e84bb9c6b5378d8e3eed3e185b6

SHA256
66d238bcbe6f39b7b1e04647586e9579ff6fe6464d93125497712e2475fc0440

SHA512
510ae3cb787abade3c6bc482c0548d31f917c9e5daca50af301564c0337dd140b28cdd6d4d38429c7f11ee1b907522764d3acbba3f2886977569704a5ea371ef

Download Submit
C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
MD5
15be1eb0d4719cd58fd3f16d317a20b8

SHA1
b3472127ebd76e84bb9c6b5378d8e3eed3e185b6

SHA256
66d238bcbe6f39b7b1e04647586e9579ff6fe6464d93125497712e2475fc0440

SHA512
510ae3cb787abade3c6bc482c0548d31f917c9e5daca50af301564c0337dd140b28cdd6d4d38429c7f11ee1b907522764d3acbba3f2886977569704a5ea371ef

Download Submit
C:\DriverBrokernet\aoCeVNmnVor99WaOvkXEcZja.vbe
MD5
6cc4ceb41085c33ef8eebc512aa98c39

SHA1
7c98a216f9e45037190c2dc20d31502ce830da99

SHA256
a6e78170664f644ddfe80fc6776b13085f990e3e8510ad75205b766030ab19ab

SHA512
76676ccaf93326b90cfde58608923f4133e3b04c71c0a291ca750f78c93dbcc1e7407a25d0745f0caab65c3f2a607d334384351c35f4e5233038b77b485a41c6

Download Submit
C:\DriverBrokernet\dBjdNa8xoJk64QTlSRKrFKa0.bat
MD5
9fc130358cbf74db03aabeeb7854ca6b

SHA1
5e79ca69d45ac96fa3bd23101818c9ce90fb34d8

SHA256
f0e804116bea05f1b89307a228254beab807b53df9f1dd6fae4ce9a360bc2982

SHA512
7d3337304742fa579eef8520439e3f2e516674bde638a2c0ad8c0345f8e4cd1ac2e1aadf69fa3c75f1676adccbd3900d15c6330e5ce71ea44f6de93cf26fef6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
b85e96c13c28aafd48e4e2bb01206a7f

SHA1
47566a6657b2f732d4f1fcddc877944da2563200

SHA256
4f7423b28e701dc3587054b914ebffa89f538cc3e8d1f995cf8e1fc1ac07393f

SHA512
e00067a89197c614ea91104ed881a619a37290b4bed295efe12dd998268a4205cba2f92c707e1539a9167600e79de62e2349348f2b0a3ebf408bc5e968682246

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ip2uZu4OM.bat
MD5
b9da338766065d1d8ff0c418f6f5ea8d

SHA1
16698ebdd057cbfa211856b24d66704ffdd47607

SHA256
d7db49010e94913d31e3fba112c6921b6438691e5751a699dfcb937c8facd157

SHA512
b7c5bb5b89b0419dd7a41cd9777c08666d76abfc86e773ad29cb96abd5b9821b2aacab4b41a5a3c1c9a65294e596067d82d097e6046d2e88a506f0e3e2504029

Download Submit
C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe
MD5
e44153fbc8eb2869e5eed232cf084427

SHA1
844d785dc829228f34bd4c77c27ce6a87766f287

SHA256
75739212f39d025329e1c4594f8e2b5be07402bef199b342b459d88bfeaf88cb

SHA512
0034dc469c601cb8688241dcfb4afc36761d536d4d252f58083105afc97b9c460f39764cf142cd03f71b008c3391c28fd4585b58502a31919f8735b25692097c

Download Submit
C:\Users\Admin\Desktop\FreeCheatDayz\Loader.exe
MD5
e44153fbc8eb2869e5eed232cf084427

SHA1
844d785dc829228f34bd4c77c27ce6a87766f287

SHA256
75739212f39d025329e1c4594f8e2b5be07402bef199b342b459d88bfeaf88cb

SHA512
0034dc469c601cb8688241dcfb4afc36761d536d4d252f58083105afc97b9c460f39764cf142cd03f71b008c3391c28fd4585b58502a31919f8735b25692097c

Download Submit
C:\Users\Admin\Downloads\FreeCheatDayz.rar
MD5
52994275422c7cbd72f81b1217d331c2

SHA1
1e96a53ec36e7ca7d213b11e469f8bb77f82155f

SHA256
9140d00190f00b22a90077063079e7cdc7d8f57d57f772643231905a92293cd9

SHA512
e7433df3323075c8cfd1283f460c2d5ecd3f261d9c49e0557b9490b19e9692d157095f7d90650d772649f19d3528fec5de2738833d54f402cbfc9d056d414949

Download Submit
\??\pipe\crashpad_4420_HDVVDWUIGDASYKRF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_568_KDRVKYIADHLGCINU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/184-137-0x0000000000000000-mapping.dmp

Download
memory/728-128-0x0000000000000000-mapping.dmp

Download
memory/992-296-0x0000000000000000-mapping.dmp

Download
memory/1084-406-0x0000000000000000-mapping.dmp

Download
memory/1376-140-0x0000000000000000-mapping.dmp

Download
memory/1512-116-0x0000000000000000-mapping.dmp

Download
memory/1784-122-0x0000000000000000-mapping.dmp

Download
memory/1916-442-0x0000029F38426000-0x0000029F38428000-memory.dmp

Filesize
8KB

Download
memory/1916-432-0x0000029F1FE00000-0x0000029F1FE01000-memory.dmp

Filesize
4KB

Download
memory/1916-431-0x0000029F38423000-0x0000029F38425000-memory.dmp

Filesize
8KB

Download
memory/1916-430-0x0000029F38420000-0x0000029F38422000-memory.dmp

Filesize
8KB

Download
memory/1916-436-0x0000029F38EF0000-0x0000029F38EF1000-memory.dmp

Filesize
4KB

Download
memory/2088-145-0x0000000000000000-mapping.dmp

Download
memory/2096-121-0x0000000000000000-mapping.dmp

Download
memory/2096-123-0x00007FFCCA360000-0x00007FFCCA361000-memory.dmp

Filesize
4KB

Download
memory/2288-404-0x0000000000000000-mapping.dmp

Download
memory/2296-292-0x0000000000000000-mapping.dmp

Download
memory/2952-401-0x0000000000000000-mapping.dmp

Download
memory/2972-484-0x000000001B584000-0x000000001B585000-memory.dmp

Filesize
4KB

Download
memory/2972-487-0x000000001B582000-0x000000001B584000-memory.dmp

Filesize
8KB

Download
memory/2972-488-0x000000001B585000-0x000000001B587000-memory.dmp

Filesize
8KB

Download
memory/2972-468-0x000000001B580000-0x000000001B582000-memory.dmp

Filesize
8KB

Download
memory/3164-305-0x0000000000000000-mapping.dmp

Download
memory/3164-405-0x0000000000000000-mapping.dmp

Download
memory/3528-161-0x0000000000000000-mapping.dmp

Download
memory/3760-149-0x0000000000000000-mapping.dmp

Download
memory/3808-340-0x0000000000000000-mapping.dmp

Download
memory/3852-154-0x0000000000000000-mapping.dmp

Download
memory/3988-224-0x0000000000000000-mapping.dmp

Download
memory/4228-389-0x0000000000000000-mapping.dmp

Download
memory/4232-229-0x0000000000000000-mapping.dmp

Download
memory/4240-425-0x000000001BBB2000-0x000000001BBB4000-memory.dmp

Filesize
8KB

Download
memory/4240-422-0x000000001F0F0000-0x000000001F0F1000-memory.dmp

Filesize
4KB

Download
memory/4240-415-0x00000000017D0000-0x00000000017D6000-memory.dmp

Filesize
24KB

Download
memory/4240-414-0x000000001BB00000-0x000000001BB07000-memory.dmp

Filesize
28KB

Download
memory/4240-413-0x000000001BAE0000-0x000000001BAE7000-memory.dmp

Filesize
28KB

Download
memory/4240-412-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/4240-417-0x00000000017E0000-0x00000000017E4000-memory.dmp

Filesize
16KB

Download
memory/4240-411-0x00000000017A0000-0x00000000017A6000-memory.dmp

Filesize
24KB

Download
memory/4240-428-0x000000001BBB5000-0x000000001BBB7000-memory.dmp

Filesize
8KB

Download
memory/4240-410-0x000000001BBB0000-0x000000001BBB2000-memory.dmp

Filesize
8KB

Download
memory/4240-418-0x00000000031D0000-0x00000000031D7000-memory.dmp

Filesize
28KB

Download
memory/4240-427-0x000000001BBB4000-0x000000001BBB5000-memory.dmp

Filesize
4KB

Download
memory/4240-416-0x0000000001800000-0x0000000001802000-memory.dmp

Filesize
8KB

Download
memory/4240-419-0x0000000003300000-0x0000000003302000-memory.dmp

Filesize
8KB

Download
memory/4240-420-0x000000001BB10000-0x000000001BB12000-memory.dmp

Filesize
8KB

Download
memory/4240-421-0x000000001BB70000-0x000000001BB72000-memory.dmp

Filesize
8KB

Download
memory/4288-285-0x0000000000000000-mapping.dmp

Download
memory/4312-243-0x0000000000000000-mapping.dmp

Download
memory/4336-247-0x0000000000000000-mapping.dmp

Download
memory/4344-363-0x0000000000000000-mapping.dmp

Download
memory/4368-400-0x0000000000000000-mapping.dmp

Download
memory/4372-348-0x0000000000000000-mapping.dmp

Download
memory/4384-176-0x0000000000000000-mapping.dmp

Download
memory/4420-233-0x0000000000000000-mapping.dmp

Download
memory/4428-239-0x0000000000000000-mapping.dmp

Download
memory/4512-236-0x0000000000000000-mapping.dmp

Download
memory/4532-399-0x0000000000000000-mapping.dmp

Download
memory/4588-299-0x0000000000000000-mapping.dmp

Download
memory/4644-402-0x0000000000000000-mapping.dmp

Download
memory/4668-184-0x0000000000000000-mapping.dmp

Download
memory/4676-250-0x0000000000000000-mapping.dmp

Download
memory/4712-378-0x0000000000000000-mapping.dmp

Download
memory/4720-189-0x0000000000000000-mapping.dmp

Download
memory/4720-309-0x0000000000000000-mapping.dmp

Download
memory/4728-489-0x0000017A7F740000-0x0000017A7F742000-memory.dmp

Filesize
8KB

Download
memory/4728-486-0x0000017A7F743000-0x0000017A7F745000-memory.dmp

Filesize
8KB

Download
memory/4728-513-0x0000017A7F746000-0x0000017A7F748000-memory.dmp

Filesize
8KB

Download
memory/4760-254-0x0000000000000000-mapping.dmp

Download
memory/4768-368-0x0000000000000000-mapping.dmp

Download
memory/4772-194-0x0000000000000000-mapping.dmp

Download
memory/4792-357-0x0000000000000000-mapping.dmp

Download
memory/4828-330-0x0000000000000000-mapping.dmp

Download
memory/4828-199-0x0000000000000000-mapping.dmp

Download
memory/4848-403-0x0000000000000000-mapping.dmp

Download
memory/4856-204-0x0000000000000000-mapping.dmp

Download
memory/4856-343-0x0000000000000000-mapping.dmp

Download
memory/4868-336-0x0000000000000000-mapping.dmp

Download
memory/4876-262-0x0000000000000000-mapping.dmp

Download
memory/4916-264-0x0000000000000000-mapping.dmp

Download
memory/4932-209-0x0000000000000000-mapping.dmp

Download
memory/4940-353-0x0000000000000000-mapping.dmp

Download
memory/4948-269-0x0000000000000000-mapping.dmp

Download
memory/4960-392-0x0000000000000000-mapping.dmp

Download
memory/4968-465-0x000000001B590000-0x000000001B592000-memory.dmp

Filesize
8KB

Download
memory/4972-315-0x0000000000000000-mapping.dmp

Download
memory/4984-214-0x0000000000000000-mapping.dmp

Download
memory/4984-320-0x0000000000000000-mapping.dmp

Download
memory/4996-324-0x0000000000000000-mapping.dmp

Download
memory/5000-275-0x0000000000000000-mapping.dmp

Download
memory/5072-219-0x0000000000000000-mapping.dmp

Download
memory/5076-279-0x0000000000000000-mapping.dmp

Download
memory/5092-373-0x0000000000000000-mapping.dmp

Download
memory/5116-396-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/5116-393-0x0000000000000000-mapping.dmp

Download
memory/5116-398-0x000000001BA60000-0x000000001BA62000-memory.dmp

Filesize
8KB

Download