rhadamanthys | 380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1

Analysis

max time kernel
124s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NcCrack Loader.exe
Size

54.0MB
MD5

7da9f4a912992fb26434573d65a1a0fc
SHA1

39a8bef04bc19ed39567039dd054174f5a6bfd1b
SHA256

060de3b4cf3056f24de882b4408020cee0510cb1ff0e5007c621bc98e5b4bdf3
SHA512

503d03b6b6654bcc1fd5a8dd6e0660bec06ac416509a6d5583cfd42168eae6adf2360f87a7b325140d4bcf430c799be1efce41c9763b992f9ac79f0a028bc445
SSDEEP

196608:Is6PAGLjQoTUlr/t/COz17LUU27lSalE8neeyh0f7Z+o3nPKAcfM2e1:IdPAGHXmztE0D8neewqZ+jS

Score

10^/10

rhadamanthys evasion execution stealer trojan

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BitLockerToGo.exe

description pid process target process

PID 5164 created 2720 5164 BitLockerToGo.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4916 powershell.exe
4916 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

driver1.exe

pid process

5044 driver1.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NcCrack Loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NcCrack Loader.exe

description	pid	process	target process
PID 5164 created 2720	5164	BitLockerToGo.exe	sihost.exe

pid	process
4916	powershell.exe
4916	powershell.exe

pid	process
5044	driver1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NcCrack Loader.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NcCrack Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	NcCrack Loader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	NcCrack Loader.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

driver1.exe

description pid process target process

PID 5044 set thread context of 5164 5044 driver1.exe BitLockerToGo.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6044 5164 WerFault.exe BitLockerToGo.exe
6088 5164 WerFault.exe BitLockerToGo.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

4556 wmic.exe

description	pid	process	target process
PID 5044 set thread context of 5164	5044	driver1.exe	BitLockerToGo.exe

pid	pid_target	process	target process
6044	5164	WerFault.exe	BitLockerToGo.exe
6088	5164	WerFault.exe	BitLockerToGo.exe

pid	process
4556	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 53 Go-http-client/1.1
HTTP User-Agent header 30 Go-http-client/1.1
HTTP User-Agent header 54 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	53	Go-http-client/1.1
HTTP User-Agent header	30	Go-http-client/1.1
HTTP User-Agent header	54	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

Processes:

msedgewebview2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634926588956722"	msedgewebview2.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3184 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exeBitLockerToGo.exedialer.exe

pid process

4916 powershell.exe
4916 powershell.exe
4916 powershell.exe
5164 BitLockerToGo.exe
5164 BitLockerToGo.exe
5948 dialer.exe
5948 dialer.exe
5948 dialer.exe
5948 dialer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

1900 msedgewebview2.exe

pid	process
3184	schtasks.exe

pid	process
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe
5164	BitLockerToGo.exe
5164	BitLockerToGo.exe
5948	dialer.exe
5948	dialer.exe
5948	dialer.exe
5948	dialer.exe

pid	process
1900	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exepowershell.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4556	wmic.exe
Token: SeSecurityPrivilege	4556	wmic.exe
Token: SeTakeOwnershipPrivilege	4556	wmic.exe
Token: SeLoadDriverPrivilege	4556	wmic.exe
Token: SeSystemProfilePrivilege	4556	wmic.exe
Token: SeSystemtimePrivilege	4556	wmic.exe
Token: SeProfSingleProcessPrivilege	4556	wmic.exe
Token: SeIncBasePriorityPrivilege	4556	wmic.exe
Token: SeCreatePagefilePrivilege	4556	wmic.exe
Token: SeBackupPrivilege	4556	wmic.exe
Token: SeRestorePrivilege	4556	wmic.exe
Token: SeShutdownPrivilege	4556	wmic.exe
Token: SeDebugPrivilege	4556	wmic.exe
Token: SeSystemEnvironmentPrivilege	4556	wmic.exe
Token: SeRemoteShutdownPrivilege	4556	wmic.exe
Token: SeUndockPrivilege	4556	wmic.exe
Token: SeManageVolumePrivilege	4556	wmic.exe
Token: 33	4556	wmic.exe
Token: 34	4556	wmic.exe
Token: 35	4556	wmic.exe
Token: 36	4556	wmic.exe
Token: SeIncreaseQuotaPrivilege	4556	wmic.exe
Token: SeSecurityPrivilege	4556	wmic.exe
Token: SeTakeOwnershipPrivilege	4556	wmic.exe
Token: SeLoadDriverPrivilege	4556	wmic.exe
Token: SeSystemProfilePrivilege	4556	wmic.exe
Token: SeSystemtimePrivilege	4556	wmic.exe
Token: SeProfSingleProcessPrivilege	4556	wmic.exe
Token: SeIncBasePriorityPrivilege	4556	wmic.exe
Token: SeCreatePagefilePrivilege	4556	wmic.exe
Token: SeBackupPrivilege	4556	wmic.exe
Token: SeRestorePrivilege	4556	wmic.exe
Token: SeShutdownPrivilege	4556	wmic.exe
Token: SeDebugPrivilege	4556	wmic.exe
Token: SeSystemEnvironmentPrivilege	4556	wmic.exe
Token: SeRemoteShutdownPrivilege	4556	wmic.exe
Token: SeUndockPrivilege	4556	wmic.exe
Token: SeManageVolumePrivilege	4556	wmic.exe
Token: 33	4556	wmic.exe
Token: 34	4556	wmic.exe
Token: 35	4556	wmic.exe
Token: 36	4556	wmic.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeIncreaseQuotaPrivilege	1448	wmic.exe
Token: SeSecurityPrivilege	1448	wmic.exe
Token: SeTakeOwnershipPrivilege	1448	wmic.exe
Token: SeLoadDriverPrivilege	1448	wmic.exe
Token: SeSystemProfilePrivilege	1448	wmic.exe
Token: SeSystemtimePrivilege	1448	wmic.exe
Token: SeProfSingleProcessPrivilege	1448	wmic.exe
Token: SeIncBasePriorityPrivilege	1448	wmic.exe
Token: SeCreatePagefilePrivilege	1448	wmic.exe
Token: SeBackupPrivilege	1448	wmic.exe
Token: SeRestorePrivilege	1448	wmic.exe
Token: SeShutdownPrivilege	1448	wmic.exe
Token: SeDebugPrivilege	1448	wmic.exe
Token: SeSystemEnvironmentPrivilege	1448	wmic.exe
Token: SeRemoteShutdownPrivilege	1448	wmic.exe
Token: SeUndockPrivilege	1448	wmic.exe
Token: SeManageVolumePrivilege	1448	wmic.exe
Token: 33	1448	wmic.exe
Token: 34	1448	wmic.exe
Token: 35	1448	wmic.exe
Token: 36	1448	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NcCrack Loader.exemsedgewebview2.exe

description	pid	process	target process
PID 2236 wrote to memory of 1900	2236	NcCrack Loader.exe	msedgewebview2.exe
PID 2236 wrote to memory of 1900	2236	NcCrack Loader.exe	msedgewebview2.exe
PID 1900 wrote to memory of 1192	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 1192	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 2904	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 456	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 456	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe
PID 1900 wrote to memory of 5096	1900	msedgewebview2.exe	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2720

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5948

C:\Users\Admin\AppData\Local\Temp\NcCrack Loader.exe
"C:\Users\Admin\AppData\Local\Temp\NcCrack Loader.exe"
1⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2236

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="NcCrack Loader.exe" --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=2236.3712.17941087799452448735
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffb06894ef8,0x7ffb06894f04,0x7ffb06894f10
3⤵
PID:1192

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1704 /prefetch:2
3⤵
PID:2904

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2020,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:3
3⤵
PID:456

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2320,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:8
3⤵
PID:5096

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3532,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
3⤵
PID:1028

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5044

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 432
4⤵
- Program crash
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 428
4⤵
- Program crash
PID:6088

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5164 -ip 5164
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5164 -ip 5164
1⤵
PID:6072

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe
Filesize
17.0MB

MD5
c963419be29c357b22c3c14bc6cffdda

SHA1
e3bfd027a2833c05fd87ad6bfb3301cd36dbb400

SHA256
824d60bbe20868c5b89cf76f17fb4dd477dffb5a3c5f87b0eea0f009a04717de

SHA512
ce68ba3426fa66e7d9822c9eb574ec344f144956b7bcb58e610ecfc5ef2509bea8e4bdbe16b3ca3699d324957f13ffd1771cbc6895a2afc3d99b81b075665f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klolp4de.z4o.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
7c8cd77b29a05c821b7e817730d3e093

SHA1
604965fd8a7be9db92e4ce3b968ff3c925cd1df9

SHA256
36ff9631511625f342a8f2b7ea790f8a779ff683e386b6740979ae3f1f532041

SHA512
0c87447cd941782bcd0416f40bf45256d400b51fbd97108dbc427795cf0f43d54eb781000ed8dda7d4c0778dbaafefbe00c2e16143177c79e5408a1dd6dd4362

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
ce094f77e66a49460e57cdcd40e15e27

SHA1
1db3f9a934c0da340e84db32719cb50e34704313

SHA256
847ddcb5e51f8dc89b4802edf474247b8f694af6c36b4de9a28efa2f56cdd763

SHA512
f9d88d3fe5a3c22d34ea883f5dcde97cac375acb96b154784a149c2d45fc2f9d53aea2f96c0c34bc7e4942b0f7dbec8d949a5e131beb1336217f397c74be8cde

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\4a64bd87-57c6-4d6b-b9f7-0fdbbba7a497.tmp
Filesize
6KB

MD5
25c6a6f5262e6db83175bf122a4de443

SHA1
348b2c35e1d55c04737e2175e0f599e417deb74c

SHA256
d7aebd3421cda362221e74a377f2d0633534f308745a9f14bf19ca392a34dbe1

SHA512
4a6d95cf39029083cd9a7b89066251148ab898ceec7138b7f8c025d9b43628e1ae31715da51e34b5b229aa4683220a30f2d111a9b9ec111a0b26a5d895cde304

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
ad4031ed2c451c9091ce78b4932687a4

SHA1
5cae2d9b091e934dc3ffe16d060aa401f16d4620

SHA256
611d24842f2c4b5bb75b9f2172f4dd3fed21e490fa55ef67f9da90739c9da472

SHA512
8aa10478a263b6892ab2eeb90c049ef1985134eae3ce802ced2ed8aeaa5c4b2983e5dd579bbe6c3886d3fa9055467052c12d5f7e01c14bd6e3ff3f73d58c7dce

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
664d6304bf21164bd5be1ed896f089ff

SHA1
c590f60fefb409ef3a3fea50cc588eb47e223865

SHA256
0931a947d4c86ae61232df73eeca980691b855f8a3e308d9339f44fb743948a7

SHA512
06cfa151be6141a5b22feb290a3d1e62cf037f969746e6801c5c973fd8cb141808afb7342a654945c4380a9bceb2f4481eef2a91a5508aff3a166cb165a16422

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnGraphiteCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Extension Rules\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent State~RFe588911.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Preferences
Filesize
6KB

MD5
16c346a89afe8482619871abee260e60

SHA1
a71d023d03ce705a178f9c90017f3dbfb08cfffa

SHA256
7e3bc7d9fce1e1613f4b03761fd822bda0830ba9e10fc6ce2de6118d60f2f316

SHA512
d5cba8f6a32da80520f0cbd3a2a5607f23aa16388313814300ca2c5bfee5aa6dc1164fb4a19e42c2f6c8a4146fd097dbf31dd610466e6847c0dd5276ca9a14d7

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
1KB

MD5
e245d21d2f37856accaae3c62b51f994

SHA1
e6cebaf03c35977bd025ff4e78f607c29064412c

SHA256
da0b2eebcd9c0e0666405b8c28f3231cd46e2ba7248fe6c1519b6689880b1916

SHA512
1cf9e71a3575cd2da41a68cf85b5c781c23692ddbe1a19a22fac0e67248001ca7ddafd8ccab80c48702453b69789c4bad54183e740546d0b2131a11abf624b9a

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
2KB

MD5
8cd78a2cad3ff41e1f687ec61ff77f99

SHA1
1b220cad17edc872686e6622af0d506aa549bb7f

SHA256
6fe35293cfab6c6b58c557d76b7a78e127a1db9185f383902b715dd3e6b31047

SHA512
ca2889878876e53d7a346659d90494f9e1f1689f6e27dab391660b821e8aa01347439aecffce071b012f7fe4679cddcc2fda25109b375c5c88e5bcab763443ab

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
3KB

MD5
37161da1673e6787e04be0758f902cc1

SHA1
16ad29d4678cef96dd25c3613a7d3585015d8559

SHA256
bbb7fd6aaf692d5b2cde1244053e7801af4f7caaca2c4be9758e621372ed968d

SHA512
e8bb4bbe084e997ef7766eee04dfa9a333b100fbe271ef38ca964ea358a7e4c5a659f5849ce6c26d3bc7b4acba9d4511a4e2359f5fce12054cfd27373a10a7bc

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
16KB

MD5
0785028664f828843e1410d7a1b60e63

SHA1
9dd347a202cced22022aa5e6dbdbccebcdba051d

SHA256
7b2e7e1fad68a89d744f9b75e097e62abd78a4c4c6719abb76a2cd0da9d16866

SHA512
1deb18cdcdc8c7444028c2f5f1ad984e53f20885c2bf806d6bc0ea0ad032a7926699a937fbc2542856c8992bc800b09cc4cef4b674c0e90933c828b2663472ef

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
16KB

MD5
c20266f54532c66543c2768ed61078bf

SHA1
f70b8088951d2255a56781b9939eccc46425673c

SHA256
903e8e1f1dd803660276f423e2493cf1cac4623bed501b3a94416fa3f61ed33c

SHA512
5029a55d899293d1eee4a62c91619dfb407283551aa4f0e362f09e9e2eb81ab08249208b3f33c8422a2ba67941aca782aa26d9e6a7ad9f315303b3793a99ebdc

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State~RFe57fa5e.TMP
Filesize
1KB

MD5
fc20dd5e2a4be0cb84c256ad8cc0d1b3

SHA1
e2380e8380cc34745a503eb8bb4098d683c13656

SHA256
010c525ab3c201abcfeb0ffb30215502893df6f3eb4c5e3a032bbeb86f4ba1f8

SHA512
4965129ebd5383ca32ab7bd69481a86e15c1cb285b7fa8424327ca6f4a3dc5c68ccd9814bd0cab4e1bf0ec361cd825eb6fcaed3875742f2101ce8ed79f477af6

Download Submit
memory/1028-144-0x00007FFB2B890000-0x00007FFB2B891000-memory.dmp

Filesize
4KB

Download
memory/2904-27-0x00007FFB2B890000-0x00007FFB2B891000-memory.dmp

Filesize
4KB

Download
memory/4916-167-0x000002842ABA0000-0x000002842ABC2000-memory.dmp

Filesize
136KB

Download
memory/5044-252-0x00007FF74E2C0000-0x00007FF74F41F000-memory.dmp

Filesize
17.4MB

Download
memory/5044-238-0x00007FF74E2C0000-0x00007FF74F41F000-memory.dmp

Filesize
17.4MB

Download
memory/5096-48-0x00007FFB2ACF0000-0x00007FFB2ACF1000-memory.dmp

Filesize
4KB

Download
memory/5096-47-0x00007FFB2CAD0000-0x00007FFB2CAD1000-memory.dmp

Filesize
4KB

Download
memory/5164-251-0x0000000000D80000-0x0000000000DED000-memory.dmp

Filesize
436KB

Download
memory/5164-250-0x0000000000D80000-0x0000000000DED000-memory.dmp

Filesize
436KB

Download
memory/5164-425-0x0000000003CE0000-0x00000000040E0000-memory.dmp

Filesize
4.0MB

Download
memory/5164-426-0x0000000003CE0000-0x00000000040E0000-memory.dmp

Filesize
4.0MB

Download
memory/5164-427-0x00007FFB2CC10000-0x00007FFB2CE05000-memory.dmp

Filesize
2.0MB

Download
memory/5164-429-0x0000000076810000-0x0000000076A25000-memory.dmp

Filesize
2.1MB

Download
memory/5948-430-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download
memory/5948-432-0x0000000002840000-0x0000000002C40000-memory.dmp

Filesize
4.0MB

Download
memory/5948-435-0x0000000076810000-0x0000000076A25000-memory.dmp

Filesize
2.1MB

Download
memory/5948-433-0x00007FFB2CC10000-0x00007FFB2CE05000-memory.dmp

Filesize
2.0MB

Download