596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release_ZYEPDenPwGhK14H.rar
Size

29.4MB
MD5

f5feb34e2a5c5f98d99bf419c3bf7095
SHA1

fe5164865b215081ab080eabbceb3ca7684a19f4
SHA256

596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03
SHA512

4d30fd23e77355ece63f20fd83b22b5f76bea7097e6f8ba9c18528b2abe98706a48aeb53dfd7b2aa1dcd8b0c4294b2bc4a2c99025885da842b2bb7b3cff8597f
SSDEEP

786432:q5rngpqNgncFFuOYTlTUP1eyThCFoJiSGY3y:qhgpggncniTl4YQhCFoJi23y

Score

7^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r7flexpatcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	r7flexpatcher.exe

Executes dropped EXE 5 IoCs

Processes:

r7flexpatcher.exer7flexcrack.exer7flexpatcher.exer7flexcrack.exer7flexcrack.exe

pid process

3272 r7flexpatcher.exe
4480 r7flexcrack.exe
5256 r7flexpatcher.exe
5380 r7flexcrack.exe
804 r7flexcrack.exe
Loads dropped DLL 1 IoCs

Processes:

r7flexpatcher.exe

pid process

5256 r7flexpatcher.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

r7flexcrack.exer7flexcrack.exer7flexcrack.exe

pid process

4480 r7flexcrack.exe
4480 r7flexcrack.exe
5380 r7flexcrack.exe
5380 r7flexcrack.exe
804 r7flexcrack.exe
804 r7flexcrack.exe
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

r7flexcrack.exe

pid process

5380 r7flexcrack.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5256	r7flexpatcher.exe

pid	process
4480	r7flexcrack.exe
4480	r7flexcrack.exe
5380	r7flexcrack.exe
5380	r7flexcrack.exe
804	r7flexcrack.exe
804	r7flexcrack.exe

pid	process
5380	r7flexcrack.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

7zFM.exer7flexcrack.exer7flexpatcher.exer7flexcrack.exer7flexcrack.exe

pid	process
3684	7zFM.exe
3684	7zFM.exe
3684	7zFM.exe
3684	7zFM.exe
4480	r7flexcrack.exe
4480	r7flexcrack.exe
5256	r7flexpatcher.exe
5256	r7flexpatcher.exe
5380	r7flexcrack.exe
5380	r7flexcrack.exe
804	r7flexcrack.exe
804	r7flexcrack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3684 7zFM.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

7zFM.exefirefox.exer7flexpatcher.exe

description	pid	process
Token: SeRestorePrivilege	3684	7zFM.exe
Token: 35	3684	7zFM.exe
Token: SeSecurityPrivilege	3684	7zFM.exe
Token: SeSecurityPrivilege	3684	7zFM.exe
Token: SeDebugPrivilege	2724	firefox.exe
Token: SeDebugPrivilege	2724	firefox.exe
Token: SeDebugPrivilege	5256	r7flexpatcher.exe
Token: SeLoadDriverPrivilege	5256	r7flexpatcher.exe
Token: SeCreateGlobalPrivilege	5256	r7flexpatcher.exe
Token: SeLockMemoryPrivilege	5256	r7flexpatcher.exe
Token: 33	5256	r7flexpatcher.exe
Token: SeSecurityPrivilege	5256	r7flexpatcher.exe
Token: SeTakeOwnershipPrivilege	5256	r7flexpatcher.exe
Token: SeManageVolumePrivilege	5256	r7flexpatcher.exe
Token: SeBackupPrivilege	5256	r7flexpatcher.exe
Token: SeCreatePagefilePrivilege	5256	r7flexpatcher.exe
Token: SeShutdownPrivilege	5256	r7flexpatcher.exe
Token: SeRestorePrivilege	5256	r7flexpatcher.exe
Token: 33	5256	r7flexpatcher.exe
Token: SeIncBasePriorityPrivilege	5256	r7flexpatcher.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

7zFM.exer7flexcrack.exefirefox.exer7flexcrack.exe

pid	process
3684	7zFM.exe
3684	7zFM.exe
3684	7zFM.exe
3684	7zFM.exe
4480	r7flexcrack.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
804	r7flexcrack.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

r7flexpatcher.exer7flexcrack.exefirefox.exer7flexpatcher.exer7flexcrack.exer7flexcrack.exe

pid	process
3272	r7flexpatcher.exe
4480	r7flexcrack.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
5256	r7flexpatcher.exe
5380	r7flexcrack.exe
804	r7flexcrack.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.exer7flexcrack.execmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3684 wrote to memory of 3272	3684	7zFM.exe	r7flexpatcher.exe
PID 3684 wrote to memory of 3272	3684	7zFM.exe	r7flexpatcher.exe
PID 4480 wrote to memory of 2000	4480	r7flexcrack.exe	cmd.exe
PID 4480 wrote to memory of 2000	4480	r7flexcrack.exe	cmd.exe
PID 4480 wrote to memory of 1580	4480	r7flexcrack.exe	cmd.exe
PID 4480 wrote to memory of 1580	4480	r7flexcrack.exe	cmd.exe
PID 4480 wrote to memory of 428	4480	r7flexcrack.exe	cmd.exe
PID 4480 wrote to memory of 428	4480	r7flexcrack.exe	cmd.exe
PID 428 wrote to memory of 5004	428	cmd.exe	certutil.exe
PID 428 wrote to memory of 5004	428	cmd.exe	certutil.exe
PID 428 wrote to memory of 2840	428	cmd.exe	find.exe
PID 428 wrote to memory of 2840	428	cmd.exe	find.exe
PID 428 wrote to memory of 1296	428	cmd.exe	find.exe
PID 428 wrote to memory of 1296	428	cmd.exe	find.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 1736 wrote to memory of 2724	1736	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe
PID 2724 wrote to memory of 4068	2724	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release_ZYEPDenPwGhK14H.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\7zO46E2A4C7\r7flexpatcher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO46E2A4C7\r7flexpatcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4120

C:\Users\Admin\Desktop\New folder\r7flexcrack.exe
"C:\Users\Admin\Desktop\New folder\r7flexcrack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" MD5
    3⤵
    PID:5004
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2840
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f05c2c10-d1a1-4885-a8c2-48a6bbabb4d3} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" gpu
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f24898f-e193-4171-a2d6-e56524cbf005} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" socket
    3⤵
    PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7708a517-2cf4-4aa9-93ad-e7f735001ad4} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3988 -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6ad1ba-fa70-4974-aa45-a17e05631f42} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:4936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4944 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4892 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e178d35-7a1a-4eb1-a841-80dd990755c0} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" utility
    3⤵
    - Checks processor information in registry
    PID:5540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 3 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d62df8e-3347-4e6a-8ea3-a3cd3013c634} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:6140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59c18fb0-0762-4e9f-a792-5c8ade974fd0} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca0d7e0-56ef-4d78-8593-cdbf3f337b73} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" tab
    3⤵
    PID:4076

C:\Users\Admin\Desktop\New folder\r7flexpatcher.exe
"C:\Users\Admin\Desktop\New folder\r7flexpatcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5256
- C:\Users\Admin\Desktop\New folder\r7flexcrack.exe
  "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" runas
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    PID:5164
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" MD5
      4⤵
      PID:5668
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:5680
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:5692

C:\Users\Admin\Desktop\New folder\r7flexcrack.exe
"C:\Users\Admin\Desktop\New folder\r7flexcrack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:5656
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\New folder\r7flexcrack.exe" MD5
    3⤵
    PID:5688
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:5696
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
1d99910d0afcd2d2758629bf3f77a2d3

SHA1
3c66526bf93b5ea04b43dc8f9ebf1021b60b8eed

SHA256
b612b9224a0bab2a9ceebb5eaaca8045cc88838613cabb196c7758b5b31f105f

SHA512
4b3a0c7505ee89d07b5312ba366d2f6c9309f054724be94080754cb4036a34125a1313f417453cd2ff4b39e5c1e451cac49baae7b66243f92156d6acefb546ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO46E2A4C7\r7flexpatcher.exe

Filesize
41KB

MD5
211679d0bf22b11671c9c8278072400f

SHA1
46767069ff081ae73fda2217a63b7b4f0c91e64a

SHA256
56c6f8cabe41895e7793fa4bd9936ea424e2e63459571f717a8d66cb808cdd96

SHA512
8e16bc0e1153996e56704ffae2c611ee43aa591fdcdad0c5bbca41cda41b19fe3c0e4ea720a19fe6bca6545c32622d9eabf9d618f96f2601e74d6e916cd3fa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{E669B2C8-410E-4366-B477-A6AD92C40970}\Addresses.TMP

Filesize
31B

MD5
b600f35daf7eac3e4b7db8810bbe15c8

SHA1
d0c6452156b1af45dcc3b36065de1551bf4f079a

SHA256
396b7c6533bc9bd742ec9fd72e43611f9ed4a980d4131a3bb8d70037686f45e3

SHA512
a8ffeb4763cc469d0a1805cbfafe5fae5ef47a02179b7eebf19172e7e21602248d112addd8e743893817814e00c77e1ef9cc2bec3e4fb76d58b94f7e3fda338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
8KB

MD5
9b53cf262e44a296b083468d9271eecd

SHA1
d2cfa13e71dc682dafef3d40973320d4d796e576

SHA256
13151a07131d09d3221588dbb349a91836f1199ecf6b8694c7c5f78fb7b66236

SHA512
cc97138c50bfafc15fca804199cc8f9c1ff4aa00e3a9282813daead4828ea934f3e5dfaa879710b8ecb14bc48937ae935759dd4e0d6cc8c04c8a3f71e517326b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
eacee4db77be151361330ca8aa4b3b73

SHA1
cb8f98bd0dcc7dd7809e61e8955b22bda1a6ef00

SHA256
654e331da2cb16b1f27e667018e02c9256d829adeb8a6d6585331f96a25abb68

SHA512
ca9e4b8eee3a4e17ce90540e37968c666f0d69624f339e36353707ad7412a8e93a678fed987d470627c1919f2f630c6fbd1595381318dc5816e15b94e8c2032e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\6350d582-e44d-4de2-8af4-6f8c43b7d464

Filesize
982B

MD5
419f892442cc29b8dbbe95c88d585373

SHA1
82ae8de6a2e40bad00572015216674732b347ebb

SHA256
a42ce29817a7a47861f0ce9fe54626d9497158144da267207209e041b2d25324

SHA512
d145221e54c52650b99634e46e182cf491157d16fe89ce650b63358e2dcb34a5df7293feb3ff601e715c10e6e7311085969fb673424cd3adce397d87740cee2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\d51abc52-aba8-4244-88f0-fedcd4f4830e

Filesize
659B

MD5
348baaebd87e55d9d30a91081f142be8

SHA1
c046b3bd14846e49807616c9d53a77bca8fc9510

SHA256
b89199c51f724729a9131d0fe69836cb2ca59b3ea058522489b3ea736fe9baf9

SHA512
9ee4d914c3b27608679dbd181a8bc1f578adc2aec5ca326e0f3bec041bf35633b92ad57edb7120d95587561536ac2bf76e3a454b8b030d23350f71180beb193c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
10KB

MD5
1628cacbd60235b78284a47a06ea8f8a

SHA1
575cde6afa735d58f4eaa793bf4f901442ad5682

SHA256
bf2332adff9a709ed4d14a687046b4ef53e0dfede32ebfdb60e5794d2d77f42f

SHA512
587b8d309f0bf992aedd96fc2095b0ea8aeb73f3e3d2b9a6cd576db017926365106cd801bc07997f7f7bb75b7d6f2e52c14befbc2e707adc2bc6dbb31d2daf9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
ee891cc0ab1eb3640450df21e4c2ad65

SHA1
76d8b12f0656ee3ffcde268ed66d979388bf26d4

SHA256
31adf9a73c9bb3614dcb1a43c1696c5fa6bc6c841c563f610442095dc2db39a2

SHA512
e69bca0f354472a647c060ad742c3b7a3dce0db01e1015e69c2cf224c52147fa20839aa2b0e945d7643d4a2edf9bd5adee739dfc5865e7b6d8a3116531a9a281

Download Submit
C:\Users\Admin\Desktop\New folder\ce-lib64.dll

Filesize
2.7MB

MD5
613f165469e6fdfeedfbcac79296906e

SHA1
f90782144ecd3681c76a3e986863240d4e17c215

SHA256
498de4f8bd87cbaf68344742f76e08dd241824148fb25fef8835ef069e56f804

SHA512
3523a3a351fd8f3a49b474dfb6530d8ac77eebdb93eb3711c6beff50aae35e9c0ebd3fd525db10f9fe9707752c87b94134a2ff4b7079149664f0628ef4991fc2

Download Submit
C:\Users\Admin\Desktop\New folder\r7flexcrack.exe

Filesize
34.8MB

MD5
3c1a75b28e979cf502b92931c1673ee9

SHA1
7f7b0e1baad3278325ae9ac873c7ed656223275c

SHA256
54f1b768ab994c06d7e2fe286b828d725e47759e4251c4b488eaa6b6ac710e5b

SHA512
e283606b50606586dd3a0a87240dd34a1738f0ea39a64a8f33aad14f292eb961204024ad7160fc5bfdf158a05a25cad6c205b005417549addf2e890ac9590af9

Download Submit
memory/804-422-0x00007FF68A750000-0x00007FF68DFBA000-memory.dmp

Filesize
56.4MB

Download
memory/4480-19-0x00007FF68A750000-0x00007FF68DFBA000-memory.dmp

Filesize
56.4MB

Download
memory/4480-18-0x00007FFA3EEE0000-0x00007FFA3EEE2000-memory.dmp

Filesize
8KB

Download
memory/4480-17-0x00007FFA3EED0000-0x00007FFA3EED2000-memory.dmp

Filesize
8KB

Download
memory/5380-323-0x00007FF68A750000-0x00007FF68DFBA000-memory.dmp

Filesize
56.4MB

Download