Overview
overview
9Static
static
3DuBrute - ...te.exe
windows7-x64
8DuBrute - ...te.exe
windows10-2004-x64
8DuBrute - ...e4.dll
windows7-x64
3DuBrute - ...e4.dll
windows10-2004-x64
3DuBrute - ...i4.dll
windows7-x64
3DuBrute - ...i4.dll
windows10-2004-x64
3DuBrute - ...32.dll
windows7-x64
3DuBrute - ...32.dll
windows10-2004-x64
3DuBrute - ...71.dll
windows7-x64
3DuBrute - ...71.dll
windows10-2004-x64
3DuBrute - ...ip.dll
windows7-x64
1DuBrute - ...ip.dll
windows10-2004-x64
1DuBrute - ...er.exe
windows7-x64
8DuBrute - ...er.exe
windows10-2004-x64
8DuBrute - ...e4.dll
windows7-x64
3DuBrute - ...e4.dll
windows10-2004-x64
3DuBrute - ...i4.dll
windows7-x64
3DuBrute - ...i4.dll
windows10-2004-x64
3DuBrute - ...ta.exe
windows7-x64
3DuBrute - ...ta.exe
windows10-2004-x64
9DuBrute - ...32.dll
windows7-x64
3DuBrute - ...32.dll
windows10-2004-x64
3DuBrute - ...71.dll
windows7-x64
3DuBrute - ...71.dll
windows10-2004-x64
3DuBrute - ...32.dll
windows7-x64
3DuBrute - ...32.dll
windows10-2004-x64
3DuBrute - ...32.dll
windows7-x64
3DuBrute - ...32.dll
windows10-2004-x64
3Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
DuBrute - RDP CRACKER/DUBrute.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
DuBrute - RDP CRACKER/DUBrute.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
DuBrute - RDP CRACKER/QtCore4.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
DuBrute - RDP CRACKER/QtCore4.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
DuBrute - RDP CRACKER/QtGui4.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
DuBrute - RDP CRACKER/QtGui4.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
DuBrute - RDP CRACKER/libeay32.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
DuBrute - RDP CRACKER/libeay32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
DuBrute - RDP CRACKER/msvcr71.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
DuBrute - RDP CRACKER/msvcr71.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
DuBrute - RDP CRACKER/procs/Ionic.Zip.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
DuBrute - RDP CRACKER/procs/Ionic.Zip.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
DuBrute - RDP CRACKER/procs/Launcher.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
DuBrute - RDP CRACKER/procs/Launcher.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
DuBrute - RDP CRACKER/procs/QtCore4.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
DuBrute - RDP CRACKER/procs/QtCore4.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
DuBrute - RDP CRACKER/procs/QtGui4.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
DuBrute - RDP CRACKER/procs/QtGui4.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
DuBrute - RDP CRACKER/procs/data.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
DuBrute - RDP CRACKER/procs/data.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
DuBrute - RDP CRACKER/procs/libeay32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
DuBrute - RDP CRACKER/procs/libeay32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
DuBrute - RDP CRACKER/procs/msvcr71.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
DuBrute - RDP CRACKER/procs/msvcr71.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
DuBrute - RDP CRACKER/procs/ssleay32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
DuBrute - RDP CRACKER/procs/ssleay32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
DuBrute - RDP CRACKER/ssleay32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
DuBrute - RDP CRACKER/ssleay32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
DuBrute - RDP CRACKER/procs/data.exe
-
Size
288KB
-
MD5
e4c2764b4bf6395365b34414d5e7cdf5
-
SHA1
6078eef90dc6c949f99586bc65e9dfc34bc4a042
-
SHA256
7175d69f1b0300e62b508506c10abd3d2de60c5e05c7339d3472508e2fe033ae
-
SHA512
298622d05769ecbca183f6b3ca4d7d6d1198e8e895cfb1b273acd52debad3d9d3df63d9446bad449fff663d517155e76af76f132733e912f98d24ff7c3f8d166
-
SSDEEP
6144:U8OYtRb9AceH+cgLfyw9Ekzq1HjYpVxjjifSHvOujMSxSjR8bkH:PRCcQGmYb
Malware Config
Signatures
-
Contacts a large (9926) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\W: mstsc.exe File opened (read-only) \??\X: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\B: mstsc.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language data.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters mstsc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\TSRedirFlags mstsc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Device Parameters mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Device Parameters mstsc.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters mstsc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720232435269910" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2500 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7848 chrome.exe 7848 chrome.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 7476 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 7476 taskmgr.exe Token: SeSystemProfilePrivilege 7476 taskmgr.exe Token: SeCreateGlobalPrivilege 7476 taskmgr.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe Token: SeCreatePagefilePrivilege 7848 chrome.exe Token: SeShutdownPrivilege 7848 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7848 chrome.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe 7476 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2500 mstsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 7848 wrote to memory of 7920 7848 chrome.exe 97 PID 7848 wrote to memory of 7920 7848 chrome.exe 97 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8072 7848 chrome.exe 98 PID 7848 wrote to memory of 8100 7848 chrome.exe 99 PID 7848 wrote to memory of 8100 7848 chrome.exe 99 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100 PID 7848 wrote to memory of 8144 7848 chrome.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\DuBrute - RDP CRACKER\procs\data.exe"C:\Users\Admin\AppData\Local\Temp\DuBrute - RDP CRACKER\procs\data.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3752
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7476
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7728
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\DuBrute - RDP CRACKER\procs\good.txt1⤵PID:7772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:7848 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffba580cc40,0x7ffba580cc4c,0x7ffba580cc582⤵PID:7920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:22⤵PID:8072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2228 /prefetch:32⤵PID:8100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2444 /prefetch:82⤵PID:8144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:1724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3384,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:2016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3716 /prefetch:12⤵PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4720 /prefetch:82⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:82⤵PID:1196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4420,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4744 /prefetch:82⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4392,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:82⤵PID:1208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4972,i,9358207006984458289,15703602838889381024,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:82⤵PID:9068
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4208
-
C:\Windows\system32\mstsc.exe"C:\Windows\system32\mstsc.exe"1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2500
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c 0x4041⤵PID:8816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\092a8678-739e-4a8c-94ec-1a8dea12fa1a.tmp
Filesize9KB
MD5c58cfb34b5836ac69a87b30401ab6f0d
SHA10e084338315b56068bc3dc241dbaa4d2c0fbd4f1
SHA25647dc8bd6ebf3253cea7df25f4d7a27a1bcfbb834c63192f9f05e4825159f36f2
SHA51215dfaf75241e297ed31e5601ea5f9d048791fe92867132580dfa6560f7e6af735a332c55fb4080d14a156a7c431746077819c65f244aa17f5b7dba7af3aa2463
-
Filesize
649B
MD58234819f636370543fb034bc5a0a63f7
SHA1badd04725727dab31a26e04ac714b4a2a6686fc7
SHA256f5fc1ec76780fc1270f528307a8fe3ecffc6c6a0e9956a4a04633f6510d25d78
SHA51262e4ac312bc42d879d9eb07f19b5f3b4aa41d839fb9b17b06031ce4dfd9ab9aa114d15cdc30d81c5f0bcad172f57729eccca7af72d1442dd8cb4b8d2c1b615b2
-
Filesize
2KB
MD550bbb0c587b4a187c2dedda22d20a9eb
SHA16a8a5c10169cca677dabfdb54f6814e4b7f6ef24
SHA25611e8553ff355e025e548dedd0e6cf52752dc81082e9a0c613f79e38b2ded076d
SHA512a99796e3a40bdadc98a3fe7004d1d59d517173bf8fd369c95ff1c76ad6c630203a1dd380f8bc74b14615ae2f73a86dd0784a1c7bace12cdf7418a905298c2e16
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58a89ca55d244892979e705768f32858f
SHA1cbc54947bbb66aa82cf83d8de1877f5dc8962730
SHA2560992746dcbcf17e01cffed23b840e525fba1fe0660a9bb23bab76eba4502fcad
SHA5128fa073e420a62fe037eaabbde313e01d0adbd98b78164f99c3ec964826e23f8a966238f35ce81c198b0b6ae4fb3c989866abca1f422101cd108eb3d2559e6430
-
Filesize
9KB
MD519d146f3a017470c5e18a3c3d1b8e5cd
SHA1e10efd56bffc369f7a3f49d3ab322f9bc5a9304b
SHA2564b1b1ef938103fc7193bcab34ff18eb1148a509f51fc12946071724afc2abfd7
SHA5129750209932e8f7bb97a0263fd6dea30f5ef74bf72065971169e672690e099ec3fc0fb4360f0311862e90c2b828c18fd313757b7297786684c6c263b87349d238
-
Filesize
9KB
MD5a54bd43b320ea717c7e19697fd0c9982
SHA161881ad63b8bd6d3ea7eb09aaa91d96df9e63b01
SHA256214db50901d5ff16b6074eec22cc1684c5b961496ef7bb53794ff5225e2beb0c
SHA512e13e76170f8599aabfce77a3d7868e5ce362d89d0577834c6929d4739cdbbe0f1d334e21110b24b6bc89d231d40e08ee16e3a063e3fab4eff8492afc53a59c22
-
Filesize
9KB
MD57967952f37162bd21be7501f20a0183c
SHA15fd5a12409b9b4343e15bd00eb7b8b2816b1e964
SHA256cca65cd99418c59d7ef1030b7635a31c46d3ba101c4de8b94e6dab6a36c3b5c4
SHA5129d310c5f4bb2419bb6446372610c23fd80891bc7fb56f1305a17308de888ef4e9aa4ecd05e5268a61e4aefd9d783ba7978d151c02bea1d5aab25e6787a90d140
-
Filesize
9KB
MD551755019b0e3dcf3fd6d83d0e166e05d
SHA19bdc6796b25021f6d88be2be5f35bee5d50b18e5
SHA256df38b093273ced7429b1ab4055086161c46920730675ba5cfac7a450dd76b613
SHA5129d0343ded4ff67a3dc61c52c678b5cfb97eadb6f37410c17aee3d4058ecff6129412a4f19c3ac437deb33a99320c96cc3f302aafaf79804f7eae3390d6342ab6
-
Filesize
9KB
MD507c1d132fe99d8de33882d70daa99b83
SHA18546cc31b4ea06e51469ab087472a11e3693ac41
SHA25657bc921d1ce76939d55a074b9411f0e75866cc001a943b4ea2b53547b9ee5ebe
SHA512481b671811339b08565480d7068c0c2dedbfdc0a6f000d846afcf1a71d04b0bffdd4bd0394ab4592b08c954cbc9fa9c76d7b77824da0a5295bd489d2ac45ff83
-
Filesize
9KB
MD55af2bbfab35af60124f1cfbcd57ca624
SHA151110bc30bb4c85f13a4e0372171d0fe82c78706
SHA256125d01a5895391d4d351a10d3d3c4a31bc79f4cb4f5472bdac7068ac93c98735
SHA512b663d022e7d37f15f26a4802e7fab0cf7991a2f3746422811dd3c16927c27ac327b0301d2cc5e7a9a06570dc3b724e2724557260f76942317ccf29947c6208b1
-
Filesize
9KB
MD50809883fa784916d8d938205d278e11a
SHA16ea93a6b3e6cfcb75a4f6cc744ed941b83ba01db
SHA2563383ad4c654e2aa883f1b26ccc069f5f2f429fcb67d8856dfdcb69f9ee26a3c8
SHA512fc99417db23aec8c358f3f260447c08c10df1ffda43312cfcd607cad86cc46a3af0ed6f4fba7dc8b249ae32d14eacdf2f897cba641c8bc9e185cd04c16f6b6e0
-
Filesize
9KB
MD5d24d5b5d9608cc5febcd789fb5e77d2b
SHA1122f22acb6db2ece75a691a6430bc0118559234f
SHA256924d3910fd9151ef2bf88bd4cc61b720c08692cad0f9b7ad94f3fdb8402948e4
SHA5126a3a8e38c162fad89ee26f77829f024edced179c019054f5a5e4a272261f5ef077b8a8072b1643ea89720020e780064763a2efb439fa328798a53fa542f0ee8d
-
Filesize
9KB
MD54e878071808fdbf4e976abd32d741d26
SHA1afdfa75f75a60f29928af9478722810a07078b23
SHA25627b5fbad840fc15525210d7b7b897d75967c4254b1cc932d6e60e55c00fc0388
SHA5122d2d32df6ce8aae6da3f78001eb4815198607e9d29fbb23da2de358ee4daf10502e38473db84e3ff5583bb39f200e59a67ddacfc38426c4088d0eca942f701da
-
Filesize
9KB
MD5574ae6a35ea1989b3b643178ed69e7c4
SHA1a6c48216d30acb9d2ed555b4915b2817f062df13
SHA256ad9c53d048244b29b4d9ef29f112fae63f0313c4aee6b4e1debc4b0aca9e5729
SHA5122712878310c15e5cfeb5380609ec7da90e0329336947338ed0bed08140fd4399626582af873fd0c9f58ae5eacb7b002c43ea03f5d2c18de0dcac52b7f38869f5
-
Filesize
9KB
MD51d37d5af84ce24a09e80cfbd65b2a29b
SHA1628c16d7ea054d836d29a41b6ca79f668ad5126b
SHA256ecacc245cbb6c731032906d79866baeec8c86419dd23dcbb0fd7e600a18eac68
SHA5126e539e6a6b8e6e788164dc16e71478408d8637e1abc0c6fa98a26dcafcb627903bdc82f2852816a534447ead75ba7b9c2c24a3db8327998a2935035872fab0ea
-
Filesize
9KB
MD55eec308b393c76565601644b2974a81c
SHA171f2b53a1fa5b72464c721ba00283eb92dbd0c70
SHA2565bac6c888107af845c6e4cb1c21c4c213530cd7bba477247c85d522953e4de97
SHA5129b92d242613ded244a7dba6066826a9d3c96aa804d3e5370e68bd63c544c1699b48b112465c630d807bbd1a6c9a19ee4eb2f683f8cf10a1f5da723050a21983b
-
Filesize
15KB
MD5524ee17bfe0d5be2dd11879077f535a0
SHA1eb559141ae3ceb006f34d0f44b973b8e7ebab162
SHA256c68293fbbcc0f67a3df1cf67a0cb0c6b3fb9bca1638fef529d99bc8b143aae08
SHA512d610e04aec13b0190580af7c08ea7ec34b939b0939f62a01721573a46b1117024822f747ae9dffb19a0103dd73a1d17b31586b0cb668862ce09a3548e6993285
-
Filesize
212KB
MD5808e4e94866cfeaf909cbe75b2377042
SHA16c517aa70cf90aa6ed460e2618230dd6afa38b0e
SHA25686d2b478cb98097b2d2db1afe46b5f57c791a8f24dc6d362dbc793ec27a30bfc
SHA51208c9836d3463bb80b7ac7e1c66a24ac5899abf7e94b4dccaa1b193ce67ebf828eff69bcc9ad6ae00e9f435dd52cd6a525c3ff20341add65b671bc412c1b26b79
-
Filesize
212KB
MD5675c0a3246336d0d9aae1427b71580c2
SHA192780f36c5cb9e239e431c5668f8fd3cbc6fd30c
SHA2567e8838f2abb497683e6e898da7e79d46ddfb30bbc8ee24e31928bdb9344458e3
SHA5127b8f676fee47d7efd13d4c73c74d00983cce09011d348e0ded88cd71a1d3d0a43ee1021b253f5b9fa3154e2b041a2fe59c20408637e89f486a35d671e12437e2
-
Filesize
64B
MD51754fd80b5e4505e116ffe16790da124
SHA1b4f8e83ab4a39e85b385adfd66362a0692f051f8
SHA2568a49f06fa116549f66b62e8b76418eb7b5298c649cd2c071c5b314cf4498b911
SHA5120e2cd04e0e083cbc8927e79668dbc51cffb56c9ab1e40bbe350166f080d5ade42037372df4a432b2a2bbaf9c07ff9cf29f77099f4063eb202d6ccfe84651ed82