rhadamanthys | 380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1

Resubmissions

22-06-2024 16:58

240622-vgsenazcmn 10

22-06-2024 16:01

240622-tgg39axgml 10

Analysis

max time kernel
209s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NcCrack-Loader.zip
Size

12.8MB
MD5

18e398f15f5f2adbc5c0d8481f8a5100
SHA1

8f092c32b221ff1256e079cbc5ff606cffc0ff09
SHA256

380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1
SHA512

c1825c7de4cba4e01a0d5d7a1c9b851f3d5467dc90623d26f9287467327c15959158ffb3ab776a4c24a5084b4b25e509978e2d88e9b1b7499fb25d8580fd0058
SSDEEP

393216:PQdfQ2QnNgnxIvrbNOGcPHaNH1C7z7mI26Bkjf+OugZFdw4V16gvp:POfQ/Ngx6oGt1C7fw6BPg5T1FR

Score

10^/10

rhadamanthys execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BitLockerToGo.exe

description pid process target process

PID 5860 created 2756 5860 BitLockerToGo.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

5704 powershell.exe
5704 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

driver1.exe

pid process

5520 driver1.exe

description	pid	process	target process
PID 5860 created 2756	5860	BitLockerToGo.exe	sihost.exe

pid	process
5520	driver1.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NcCrack Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	NcCrack Loader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	NcCrack Loader.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

driver1.exe

description pid process target process

PID 5520 set thread context of 5860 5520 driver1.exe BitLockerToGo.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5092 5860 WerFault.exe BitLockerToGo.exe
5836 5860 WerFault.exe BitLockerToGo.exe

description	pid	process	target process
PID 5520 set thread context of 5860	5520	driver1.exe	BitLockerToGo.exe

pid	pid_target	process	target process
5092	5860	WerFault.exe	BitLockerToGo.exe
5836	5860	WerFault.exe	BitLockerToGo.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

5604 wmic.exe

pid	process
5604	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 87 Go-http-client/1.1
HTTP User-Agent header 89 Go-http-client/1.1
HTTP User-Agent header 90 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	87	Go-http-client/1.1
HTTP User-Agent header	89	Go-http-client/1.1
HTTP User-Agent header	90	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

Processes:

msedgewebview2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635492346563288"	msedgewebview2.exe

Modifies registry class 1 IoCs

Processes:

mspaint.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings mspaint.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5316 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5976 WINWORD.EXE
5976 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	mspaint.exe

pid	process
5316	schtasks.exe

pid	process
5976	WINWORD.EXE
5976	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exeBitLockerToGo.exedialer.exe

pid	process
5704	powershell.exe
5704	powershell.exe
5704	powershell.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
5860	BitLockerToGo.exe
5860	BitLockerToGo.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
5692	dialer.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

516 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

1812 msedgewebview2.exe

pid	process
1812	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exepowershell.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5604	wmic.exe
Token: SeSecurityPrivilege	5604	wmic.exe
Token: SeTakeOwnershipPrivilege	5604	wmic.exe
Token: SeLoadDriverPrivilege	5604	wmic.exe
Token: SeSystemProfilePrivilege	5604	wmic.exe
Token: SeSystemtimePrivilege	5604	wmic.exe
Token: SeProfSingleProcessPrivilege	5604	wmic.exe
Token: SeIncBasePriorityPrivilege	5604	wmic.exe
Token: SeCreatePagefilePrivilege	5604	wmic.exe
Token: SeBackupPrivilege	5604	wmic.exe
Token: SeRestorePrivilege	5604	wmic.exe
Token: SeShutdownPrivilege	5604	wmic.exe
Token: SeDebugPrivilege	5604	wmic.exe
Token: SeSystemEnvironmentPrivilege	5604	wmic.exe
Token: SeRemoteShutdownPrivilege	5604	wmic.exe
Token: SeUndockPrivilege	5604	wmic.exe
Token: SeManageVolumePrivilege	5604	wmic.exe
Token: 33	5604	wmic.exe
Token: 34	5604	wmic.exe
Token: 35	5604	wmic.exe
Token: 36	5604	wmic.exe
Token: SeIncreaseQuotaPrivilege	5604	wmic.exe
Token: SeSecurityPrivilege	5604	wmic.exe
Token: SeTakeOwnershipPrivilege	5604	wmic.exe
Token: SeLoadDriverPrivilege	5604	wmic.exe
Token: SeSystemProfilePrivilege	5604	wmic.exe
Token: SeSystemtimePrivilege	5604	wmic.exe
Token: SeProfSingleProcessPrivilege	5604	wmic.exe
Token: SeIncBasePriorityPrivilege	5604	wmic.exe
Token: SeCreatePagefilePrivilege	5604	wmic.exe
Token: SeBackupPrivilege	5604	wmic.exe
Token: SeRestorePrivilege	5604	wmic.exe
Token: SeShutdownPrivilege	5604	wmic.exe
Token: SeDebugPrivilege	5604	wmic.exe
Token: SeSystemEnvironmentPrivilege	5604	wmic.exe
Token: SeRemoteShutdownPrivilege	5604	wmic.exe
Token: SeUndockPrivilege	5604	wmic.exe
Token: SeManageVolumePrivilege	5604	wmic.exe
Token: 33	5604	wmic.exe
Token: 34	5604	wmic.exe
Token: 35	5604	wmic.exe
Token: 36	5604	wmic.exe
Token: SeDebugPrivilege	5704	powershell.exe
Token: SeIncreaseQuotaPrivilege	5888	wmic.exe
Token: SeSecurityPrivilege	5888	wmic.exe
Token: SeTakeOwnershipPrivilege	5888	wmic.exe
Token: SeLoadDriverPrivilege	5888	wmic.exe
Token: SeSystemProfilePrivilege	5888	wmic.exe
Token: SeSystemtimePrivilege	5888	wmic.exe
Token: SeProfSingleProcessPrivilege	5888	wmic.exe
Token: SeIncBasePriorityPrivilege	5888	wmic.exe
Token: SeCreatePagefilePrivilege	5888	wmic.exe
Token: SeBackupPrivilege	5888	wmic.exe
Token: SeRestorePrivilege	5888	wmic.exe
Token: SeShutdownPrivilege	5888	wmic.exe
Token: SeDebugPrivilege	5888	wmic.exe
Token: SeSystemEnvironmentPrivilege	5888	wmic.exe
Token: SeRemoteShutdownPrivilege	5888	wmic.exe
Token: SeUndockPrivilege	5888	wmic.exe
Token: SeManageVolumePrivilege	5888	wmic.exe
Token: 33	5888	wmic.exe
Token: 34	5888	wmic.exe
Token: 35	5888	wmic.exe
Token: 36	5888	wmic.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

taskmgr.exe

pid	process
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

taskmgr.exe

pid	process
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

mspaint.exeOpenWith.exeWINWORD.EXE

pid	process
5760	mspaint.exe
5464	OpenWith.exe
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE
5976	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NcCrack Loader.exemsedgewebview2.exe

description	pid	process	target process
PID 4132 wrote to memory of 1812	4132	NcCrack Loader.exe	msedgewebview2.exe
PID 4132 wrote to memory of 1812	4132	NcCrack Loader.exe	msedgewebview2.exe
PID 1812 wrote to memory of 1596	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 1596	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3196	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3412	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 3412	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe
PID 1812 wrote to memory of 2052	1812	msedgewebview2.exe	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2756

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5692

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NcCrack-Loader.zip
1⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3028,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:8
1⤵
PID:2636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2248

C:\Users\Admin\Desktop\NcCrack-Loader\NcCrack Loader.exe
"C:\Users\Admin\Desktop\NcCrack-Loader\NcCrack Loader.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:4132

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="NcCrack Loader.exe" --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4132.3328.2361115058809500962
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1812

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x178,0x17c,0x180,0x154,0x18c,0x7ffd4bb84ef8,0x7ffd4bb84f04,0x7ffd4bb84f10
3⤵
PID:1596

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:2
3⤵
PID:3196

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1380,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2072 /prefetch:3
3⤵
PID:3412

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2336,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:8
3⤵
PID:2052

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3540,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
3⤵
PID:5328

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:5604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5704

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
2⤵
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5520

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 464
4⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 456
4⤵
- Program crash
PID:5836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5860 -ip 5860
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5860 -ip 5860
1⤵
PID:5848

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SetRedo.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5464

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\UninstallConvert.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5976

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe
Filesize
17.0MB

MD5
c963419be29c357b22c3c14bc6cffdda

SHA1
e3bfd027a2833c05fd87ad6bfb3301cd36dbb400

SHA256
824d60bbe20868c5b89cf76f17fb4dd477dffb5a3c5f87b0eea0f009a04717de

SHA512
ce68ba3426fa66e7d9822c9eb574ec344f144956b7bcb58e610ecfc5ef2509bea8e4bdbe16b3ca3699d324957f13ffd1771cbc6895a2afc3d99b81b075665f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize
2KB

MD5
1e6aac6a0d5aab97b2881f64495146f6

SHA1
a9feaa1b49861e152a2185b337190e5d9798e832

SHA256
7945533e1b79b5df9efb4d75cdbf8937f7ed83386d40ec93ed7e3d1f66abbf3d

SHA512
9564942962546b6d06b12c71a62b5e9bd3120f136e8c2ce7507e670cb8434e5e176e36382023adacf05a1ac4afa0d9e56d70d1f5e8ed7f7b0be841845c7311c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_24dvierq.uyb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
321e1859469cc338c28e49adb423dfbd

SHA1
a0c5548b378df67149feebd9c16fb67f075e8187

SHA256
a75cfa91d7c8d657405ee31d2dd62e9c91903954379849808519ffec1edb42f4

SHA512
d36ca1d9149a5bf57933752b142860f13ad1a128806b14a8401373f0296b9edfc1357442e977de6c0a9f785c5183a398b67eb80baaaf3b1f2404f66c796678dc

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
55c535220fbec81b7a0a733f92d87902

SHA1
233688829349debb9248c4018e7ac094a703daeb

SHA256
fcd7b0a57a2253f67a0c6d1a37f7ee318d5366447ead6e8189d7b1e7c4369166

SHA512
3e9b2d065726f17893261ffe7979b620808cd95a186ff2f3dc1007ec12a3dd69d3d7b3e334e63fd03af543836866adc7a167827f213fec641e060c402b15892c

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\02621d49-81f7-444f-b4c2-f6d9e9c9534d.tmp
Filesize
6KB

MD5
6a4a9dfeb9b340e594ba6190b2bfd098

SHA1
7c6d25ab999a219774ba4444432ab986de875c6d

SHA256
85bfde1f0e45b9971eeb7160e454d70dcd7fbaf8abebb5a2e174f688e7e93902

SHA512
87a5cb1d148b44554d2c550170cc87af0c4b286ba2ff941fb7c6ab1070790739ba025a440dbe117b685a395c87fe87301be3a441094c0afcae110956c6c15a16

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
69ae6a20c31e976570fb28f42baf7145

SHA1
8478512f36cc03b3b2bee64a4e5ac7a6ae5b4ef0

SHA256
c77b0787c87ea428531a3b707fd1c9166e89c973251fdc8a504d5221e583f1c7

SHA512
6d88d207b410091395fc4b1e836f2664487d7f50fc4ed01cc752135a4277d33b4e447cf455399241aaa00b49d48cdea89a3f804574db06fb262fe7bc6234d93b

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe59f776.TMP
Filesize
48B

MD5
69473d9538603ec631de16b65b0bd99c

SHA1
d0a9c442f7c86b08142e5f16b72f26bc737cd7ed

SHA256
e929b11951c6c48aa19a27d4b619e085f68013f25cc4e02bf66a27c707a5405d

SHA512
13665c0e22e9b9908bd28ac201e4554c5bb0b0f1341548552f448f12607e25859737325b39dc91039867e74b7910ca0724709ba8e6f1ad674d4a1f37d9cb2d36

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Extension Rules\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent State~RFe5a3394.TMP
Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Preferences
Filesize
6KB

MD5
496a0c9356a51d49e9260e289fdfa7fd

SHA1
dc9688e74b024a9f7104a9b1f97c4f1da62e6f54

SHA256
e087e89005c54572636f3b7745dedf61b3adfc8dcaff00b4d7adc5fdfdf0ce0f

SHA512
bc43b3cfa6b3de6d35f50adbd6c978aa437425033fb36b3226aeb8ba983b22fce3f22ae0c0ff18e350e501c540b5900af5c407abf926c993f84d2672b05e9700

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
1KB

MD5
5c772606ee5f36c05dc1e91590c4348d

SHA1
ec1c8a6c7c40247767d648634ff3484bf9c75157

SHA256
f595fdcce4a90e1e6e0049ce85696bc2d251b20a3490d3e35ef29a3472e1fe36

SHA512
a79bc1f331f8b9751d4153b1bdef1f7e1ab30de2dd06873166295e4c39465e6fcf66c579849439b0873d20ff7d9bec448c994ba0e7cedf5bd44eefed14c3a8d0

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
2KB

MD5
ac34fc4d6de472e341c89fb61ae19d9c

SHA1
70679047b65314dd99015e102e0b3377b6cbb0c8

SHA256
e55401e2c1cb54fff73fe4e0538c4ae0338c37b862bbd472fc9b9bf78b6d62f2

SHA512
386d118b698e577358684dab60608abb317406d0b0c54ca3abb2a39b97a91d2ab63be3c9995549727c54c1efeeb1d78ea34338cb91512b28fa75bd6d7ce97e2c

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
3KB

MD5
4f3d6740f284a680e7df872f5200ef7a

SHA1
5e307a589586b17cfdb289a36167c4606d11e0f5

SHA256
b0e5c5f8c39800c52b2655297890adb14fe34ffc638849ef254b1646ca8a2682

SHA512
45fd0607386b268202c0df38fbe443b1577a036ccf3fa8e5737fe9f87fb5cb8f54a9d47570ceab306e4ad6e769f6e159f428764e06ae7a5414c4a9fdff8adfc2

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
16KB

MD5
9bf2f69b4dad6433472ac786c6be14cb

SHA1
5b6a25147d7103952fc1dcc87851c81e10933b9a

SHA256
75a4924e41f0eb93900f80e08ac357574706c888e033a892e0961f9774e072a2

SHA512
bba1ceaad4c882a9dd1f210b02e50ece0296b0df13cceb25c431be60bc5c6836c6c901ba0c8d13a18e414d39c00d83b294e77708ba51acb80c01a49ad7b4cea3

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State
Filesize
16KB

MD5
c47337f686c9103085d54a52b9299d6f

SHA1
328d9a4f61168636c96e98d71d9f90d12737ef37

SHA256
b22b400fef977735bd57bc5126bb256c4866d35b3cbb5962c2aec0a9d64b6d4f

SHA512
9edeb6b7f6ad9dee68f68ac15c9961d7a2f87e0ec39487bb7cbc8d636c8274838dd993d8bf7999ec4501b624e25b3ce330935901c2ffda289b2d61140cba8a3c

Download Submit
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State~RFe59a5ac.TMP
Filesize
1KB

MD5
fae1db9bda702784f4e5537cf09fbca0

SHA1
f1cc256d5335c613ebf966e830d6fa127fe0532f

SHA256
e94331564544c4dcd06e68474ceb2e3f83202f25394854defc76b90a50376485

SHA512
9cd14009936240220604234b4adf979d4505c8afa131415129286b4e656c2f6269616c9954309c0a654710ebd97594f33919b94d05edc2900e6f01e6efbd5475

Download Submit
\??\pipe\crashpad_1812_QBTMZLCWEFKJNWPS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/516-214-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-206-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-217-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-216-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-215-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-212-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-213-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-218-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-207-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/516-208-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmp

Filesize
4KB

Download
memory/2052-80-0x00007FFD706F0000-0x00007FFD706F1000-memory.dmp

Filesize
4KB

Download
memory/2052-79-0x00007FFD70C50000-0x00007FFD70C51000-memory.dmp

Filesize
4KB

Download
memory/3196-26-0x00007FFD71EF0000-0x00007FFD71EF1000-memory.dmp

Filesize
4KB

Download
memory/3196-205-0x0000022E22280000-0x0000022E22395000-memory.dmp

Filesize
1.1MB

Download
memory/3196-431-0x0000022E22280000-0x0000022E22395000-memory.dmp

Filesize
1.1MB

Download
memory/5328-149-0x00007FFD71EF0000-0x00007FFD71EF1000-memory.dmp

Filesize
4KB

Download
memory/5520-267-0x00007FF6A84A0000-0x00007FF6A95FF000-memory.dmp

Filesize
17.4MB

Download
memory/5520-262-0x00007FF6A84A0000-0x00007FF6A95FF000-memory.dmp

Filesize
17.4MB

Download
memory/5692-441-0x0000000000A80000-0x0000000000A89000-memory.dmp

Filesize
36KB

Download
memory/5692-446-0x0000000077010000-0x0000000077225000-memory.dmp

Filesize
2.1MB

Download
memory/5692-444-0x00007FFD72670000-0x00007FFD72865000-memory.dmp

Filesize
2.0MB

Download
memory/5692-443-0x00000000026F0000-0x0000000002AF0000-memory.dmp

Filesize
4.0MB

Download
memory/5704-169-0x00000200F1590000-0x00000200F15B2000-memory.dmp

Filesize
136KB

Download
memory/5824-460-0x0000019293200000-0x0000019293201000-memory.dmp

Filesize
4KB

Download
memory/5824-464-0x0000019293290000-0x0000019293291000-memory.dmp

Filesize
4KB

Download
memory/5824-466-0x00000192932A0000-0x00000192932A1000-memory.dmp

Filesize
4KB

Download
memory/5824-465-0x00000192932A0000-0x00000192932A1000-memory.dmp

Filesize
4KB

Download
memory/5824-463-0x0000019293290000-0x0000019293291000-memory.dmp

Filesize
4KB

Download
memory/5824-451-0x000001928AEA0000-0x000001928AEB0000-memory.dmp

Filesize
64KB

Download
memory/5824-447-0x000001928AE60000-0x000001928AE70000-memory.dmp

Filesize
64KB

Download
memory/5824-458-0x0000019293180000-0x0000019293181000-memory.dmp

Filesize
4KB

Download
memory/5824-462-0x0000019293200000-0x0000019293201000-memory.dmp

Filesize
4KB

Download
memory/5860-268-0x0000000000E30000-0x0000000000E9D000-memory.dmp

Filesize
436KB

Download
memory/5860-436-0x0000000003C90000-0x0000000004090000-memory.dmp

Filesize
4.0MB

Download
memory/5860-440-0x0000000077010000-0x0000000077225000-memory.dmp

Filesize
2.1MB

Download
memory/5860-437-0x0000000003C90000-0x0000000004090000-memory.dmp

Filesize
4.0MB

Download
memory/5860-438-0x00007FFD72670000-0x00007FFD72865000-memory.dmp

Filesize
2.0MB

Download
memory/5860-266-0x0000000000E30000-0x0000000000E9D000-memory.dmp

Filesize
436KB

Download
memory/5976-469-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/5976-468-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/5976-471-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/5976-472-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/5976-473-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmp

Filesize
64KB

Download
memory/5976-474-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmp

Filesize
64KB

Download
memory/5976-470-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download