596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:52

Target

r7flexcrack.exe
Size

34.8MB
MD5

3c1a75b28e979cf502b92931c1673ee9
SHA1

7f7b0e1baad3278325ae9ac873c7ed656223275c
SHA256

54f1b768ab994c06d7e2fe286b828d725e47759e4251c4b488eaa6b6ac710e5b
SHA512

e283606b50606586dd3a0a87240dd34a1738f0ea39a64a8f33aad14f292eb961204024ad7160fc5bfdf158a05a25cad6c205b005417549addf2e890ac9590af9
SSDEEP

786432:uckh+w+C/tpgyVjaLYcs9dm9p22awtnKNeU9i:Z6kS7HmrvasnKMUE

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

r7flexcrack.exe

pid process

1580 r7flexcrack.exe
1580 r7flexcrack.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

r7flexcrack.exe

pid process

1580 r7flexcrack.exe
1580 r7flexcrack.exe

pid	process
1580	r7flexcrack.exe
1580	r7flexcrack.exe

pid	process
1580	r7flexcrack.exe
1580	r7flexcrack.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

r7flexcrack.execmd.exe

description	pid	process	target process
PID 1580 wrote to memory of 4992	1580	r7flexcrack.exe	cmd.exe
PID 1580 wrote to memory of 4992	1580	r7flexcrack.exe	cmd.exe
PID 1580 wrote to memory of 4652	1580	r7flexcrack.exe	cmd.exe
PID 1580 wrote to memory of 4652	1580	r7flexcrack.exe	cmd.exe
PID 1580 wrote to memory of 1492	1580	r7flexcrack.exe	cmd.exe
PID 1580 wrote to memory of 1492	1580	r7flexcrack.exe	cmd.exe
PID 1492 wrote to memory of 4316	1492	cmd.exe	certutil.exe
PID 1492 wrote to memory of 4316	1492	cmd.exe	certutil.exe
PID 1492 wrote to memory of 4488	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 4488	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 876	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 876	1492	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe
"C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" MD5
    3⤵
    PID:4316
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4488
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:876

memory/1580-0-0x00007FF7B348E000-0x00007FF7B4973000-memory.dmp

Filesize
20.9MB

Download
memory/1580-2-0x00007FFDE22A0000-0x00007FFDE22A2000-memory.dmp

Filesize
8KB

Download
memory/1580-1-0x00007FFDE2290000-0x00007FFDE2292000-memory.dmp

Filesize
8KB

Download
memory/1580-7-0x00007FF7B33D0000-0x00007FF7B6C3A000-memory.dmp

Filesize
56.4MB

Download
memory/1580-8-0x00007FF7B348E000-0x00007FF7B4973000-memory.dmp

Filesize
20.9MB

Download
memory/1580-9-0x00007FF7B348E000-0x00007FF7B4973000-memory.dmp

Filesize
20.9MB

Download
memory/1580-10-0x00007FF7B33D0000-0x00007FF7B6C3A000-memory.dmp

Filesize
56.4MB

Download