Analysis
-
max time kernel
124s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
Driver.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Driver.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NcCrack Loader.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
NcCrack Loader.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
config.ini
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
config.ini
Resource
win10v2004-20240611-en
General
-
Target
NcCrack Loader.exe
-
Size
54.0MB
-
MD5
7da9f4a912992fb26434573d65a1a0fc
-
SHA1
39a8bef04bc19ed39567039dd054174f5a6bfd1b
-
SHA256
060de3b4cf3056f24de882b4408020cee0510cb1ff0e5007c621bc98e5b4bdf3
-
SHA512
503d03b6b6654bcc1fd5a8dd6e0660bec06ac416509a6d5583cfd42168eae6adf2360f87a7b325140d4bcf430c799be1efce41c9763b992f9ac79f0a028bc445
-
SSDEEP
196608:Is6PAGLjQoTUlr/t/COz17LUU27lSalE8neeyh0f7Z+o3nPKAcfM2e1:IdPAGHXmztE0D8neewqZ+jS
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
BitLockerToGo.exedescription pid process target process PID 5164 created 2720 5164 BitLockerToGo.exe sihost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid process 5044 driver1.exe -
Processes:
NcCrack Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NcCrack Loader.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
NcCrack Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum NcCrack Loader.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 NcCrack Loader.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver1.exedescription pid process target process PID 5044 set thread context of 5164 5044 driver1.exe BitLockerToGo.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 6044 5164 WerFault.exe BitLockerToGo.exe 6088 5164 WerFault.exe BitLockerToGo.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedgewebview2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 53 Go-http-client/1.1 HTTP User-Agent header 30 Go-http-client/1.1 HTTP User-Agent header 54 Go-http-client/1.1 -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedgewebview2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634926588956722" msedgewebview2.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedgewebview2.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exeBitLockerToGo.exedialer.exepid process 4916 powershell.exe 4916 powershell.exe 4916 powershell.exe 5164 BitLockerToGo.exe 5164 BitLockerToGo.exe 5948 dialer.exe 5948 dialer.exe 5948 dialer.exe 5948 dialer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
msedgewebview2.exepid process 1900 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4556 wmic.exe Token: SeSecurityPrivilege 4556 wmic.exe Token: SeTakeOwnershipPrivilege 4556 wmic.exe Token: SeLoadDriverPrivilege 4556 wmic.exe Token: SeSystemProfilePrivilege 4556 wmic.exe Token: SeSystemtimePrivilege 4556 wmic.exe Token: SeProfSingleProcessPrivilege 4556 wmic.exe Token: SeIncBasePriorityPrivilege 4556 wmic.exe Token: SeCreatePagefilePrivilege 4556 wmic.exe Token: SeBackupPrivilege 4556 wmic.exe Token: SeRestorePrivilege 4556 wmic.exe Token: SeShutdownPrivilege 4556 wmic.exe Token: SeDebugPrivilege 4556 wmic.exe Token: SeSystemEnvironmentPrivilege 4556 wmic.exe Token: SeRemoteShutdownPrivilege 4556 wmic.exe Token: SeUndockPrivilege 4556 wmic.exe Token: SeManageVolumePrivilege 4556 wmic.exe Token: 33 4556 wmic.exe Token: 34 4556 wmic.exe Token: 35 4556 wmic.exe Token: 36 4556 wmic.exe Token: SeIncreaseQuotaPrivilege 4556 wmic.exe Token: SeSecurityPrivilege 4556 wmic.exe Token: SeTakeOwnershipPrivilege 4556 wmic.exe Token: SeLoadDriverPrivilege 4556 wmic.exe Token: SeSystemProfilePrivilege 4556 wmic.exe Token: SeSystemtimePrivilege 4556 wmic.exe Token: SeProfSingleProcessPrivilege 4556 wmic.exe Token: SeIncBasePriorityPrivilege 4556 wmic.exe Token: SeCreatePagefilePrivilege 4556 wmic.exe Token: SeBackupPrivilege 4556 wmic.exe Token: SeRestorePrivilege 4556 wmic.exe Token: SeShutdownPrivilege 4556 wmic.exe Token: SeDebugPrivilege 4556 wmic.exe Token: SeSystemEnvironmentPrivilege 4556 wmic.exe Token: SeRemoteShutdownPrivilege 4556 wmic.exe Token: SeUndockPrivilege 4556 wmic.exe Token: SeManageVolumePrivilege 4556 wmic.exe Token: 33 4556 wmic.exe Token: 34 4556 wmic.exe Token: 35 4556 wmic.exe Token: 36 4556 wmic.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeIncreaseQuotaPrivilege 1448 wmic.exe Token: SeSecurityPrivilege 1448 wmic.exe Token: SeTakeOwnershipPrivilege 1448 wmic.exe Token: SeLoadDriverPrivilege 1448 wmic.exe Token: SeSystemProfilePrivilege 1448 wmic.exe Token: SeSystemtimePrivilege 1448 wmic.exe Token: SeProfSingleProcessPrivilege 1448 wmic.exe Token: SeIncBasePriorityPrivilege 1448 wmic.exe Token: SeCreatePagefilePrivilege 1448 wmic.exe Token: SeBackupPrivilege 1448 wmic.exe Token: SeRestorePrivilege 1448 wmic.exe Token: SeShutdownPrivilege 1448 wmic.exe Token: SeDebugPrivilege 1448 wmic.exe Token: SeSystemEnvironmentPrivilege 1448 wmic.exe Token: SeRemoteShutdownPrivilege 1448 wmic.exe Token: SeUndockPrivilege 1448 wmic.exe Token: SeManageVolumePrivilege 1448 wmic.exe Token: 33 1448 wmic.exe Token: 34 1448 wmic.exe Token: 35 1448 wmic.exe Token: 36 1448 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NcCrack Loader.exemsedgewebview2.exedescription pid process target process PID 2236 wrote to memory of 1900 2236 NcCrack Loader.exe msedgewebview2.exe PID 2236 wrote to memory of 1900 2236 NcCrack Loader.exe msedgewebview2.exe PID 1900 wrote to memory of 1192 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 1192 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 2904 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 456 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 456 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe PID 1900 wrote to memory of 5096 1900 msedgewebview2.exe msedgewebview2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\NcCrack Loader.exe"C:\Users\Admin\AppData\Local\Temp\NcCrack Loader.exe"1⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="NcCrack Loader.exe" --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=2236.3712.179410877994524487352⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffb06894ef8,0x7ffb06894f04,0x7ffb06894f103⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1704 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2020,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2320,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3532,i,11546350998701866743,7753872382151909961,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:13⤵
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 4324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 4284⤵
- Program crash
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5164 -ip 51641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5164 -ip 51641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\driver1.exeFilesize
17.0MB
MD5c963419be29c357b22c3c14bc6cffdda
SHA1e3bfd027a2833c05fd87ad6bfb3301cd36dbb400
SHA256824d60bbe20868c5b89cf76f17fb4dd477dffb5a3c5f87b0eea0f009a04717de
SHA512ce68ba3426fa66e7d9822c9eb574ec344f144956b7bcb58e610ecfc5ef2509bea8e4bdbe16b3ca3699d324957f13ffd1771cbc6895a2afc3d99b81b075665f34
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klolp4de.z4o.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.datFilesize
280B
MD57c8cd77b29a05c821b7e817730d3e093
SHA1604965fd8a7be9db92e4ce3b968ff3c925cd1df9
SHA25636ff9631511625f342a8f2b7ea790f8a779ff683e386b6740979ae3f1f532041
SHA5120c87447cd941782bcd0416f40bf45256d400b51fbd97108dbc427795cf0f43d54eb781000ed8dda7d4c0778dbaafefbe00c2e16143177c79e5408a1dd6dd4362
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.datFilesize
280B
MD5ce094f77e66a49460e57cdcd40e15e27
SHA11db3f9a934c0da340e84db32719cb50e34704313
SHA256847ddcb5e51f8dc89b4802edf474247b8f694af6c36b4de9a28efa2f56cdd763
SHA512f9d88d3fe5a3c22d34ea883f5dcde97cac375acb96b154784a149c2d45fc2f9d53aea2f96c0c34bc7e4942b0f7dbec8d949a5e131beb1336217f397c74be8cde
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\throttle_store.datFilesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\4a64bd87-57c6-4d6b-b9f7-0fdbbba7a497.tmpFilesize
6KB
MD525c6a6f5262e6db83175bf122a4de443
SHA1348b2c35e1d55c04737e2175e0f599e417deb74c
SHA256d7aebd3421cda362221e74a377f2d0633534f308745a9f14bf19ca392a34dbe1
SHA5124a6d95cf39029083cd9a7b89066251148ab898ceec7138b7f8c025d9b43628e1ae31715da51e34b5b229aa4683220a30f2d111a9b9ec111a0b26a5d895cde304
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5ad4031ed2c451c9091ce78b4932687a4
SHA15cae2d9b091e934dc3ffe16d060aa401f16d4620
SHA256611d24842f2c4b5bb75b9f2172f4dd3fed21e490fa55ef67f9da90739c9da472
SHA5128aa10478a263b6892ab2eeb90c049ef1985134eae3ce802ced2ed8aeaa5c4b2983e5dd579bbe6c3886d3fa9055467052c12d5f7e01c14bd6e3ff3f73d58c7dce
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD5664d6304bf21164bd5be1ed896f089ff
SHA1c590f60fefb409ef3a3fea50cc588eb47e223865
SHA2560931a947d4c86ae61232df73eeca980691b855f8a3e308d9339f44fb743948a7
SHA51206cfa151be6141a5b22feb290a3d1e62cf037f969746e6801c5c973fd8cb141808afb7342a654945c4380a9bceb2f4481eef2a91a5508aff3a166cb165a16422
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnGraphiteCache\data_1Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Extension Rules\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent State~RFe588911.TMPFilesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\PreferencesFilesize
6KB
MD516c346a89afe8482619871abee260e60
SHA1a71d023d03ce705a178f9c90017f3dbfb08cfffa
SHA2567e3bc7d9fce1e1613f4b03761fd822bda0830ba9e10fc6ce2de6118d60f2f316
SHA512d5cba8f6a32da80520f0cbd3a2a5607f23aa16388313814300ca2c5bfee5aa6dc1164fb4a19e42c2f6c8a4146fd097dbf31dd610466e6847c0dd5276ca9a14d7
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Sync Data\LevelDB\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
1KB
MD5e245d21d2f37856accaae3c62b51f994
SHA1e6cebaf03c35977bd025ff4e78f607c29064412c
SHA256da0b2eebcd9c0e0666405b8c28f3231cd46e2ba7248fe6c1519b6689880b1916
SHA5121cf9e71a3575cd2da41a68cf85b5c781c23692ddbe1a19a22fac0e67248001ca7ddafd8ccab80c48702453b69789c4bad54183e740546d0b2131a11abf624b9a
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
2KB
MD58cd78a2cad3ff41e1f687ec61ff77f99
SHA11b220cad17edc872686e6622af0d506aa549bb7f
SHA2566fe35293cfab6c6b58c557d76b7a78e127a1db9185f383902b715dd3e6b31047
SHA512ca2889878876e53d7a346659d90494f9e1f1689f6e27dab391660b821e8aa01347439aecffce071b012f7fe4679cddcc2fda25109b375c5c88e5bcab763443ab
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
3KB
MD537161da1673e6787e04be0758f902cc1
SHA116ad29d4678cef96dd25c3613a7d3585015d8559
SHA256bbb7fd6aaf692d5b2cde1244053e7801af4f7caaca2c4be9758e621372ed968d
SHA512e8bb4bbe084e997ef7766eee04dfa9a333b100fbe271ef38ca964ea358a7e4c5a659f5849ce6c26d3bc7b4acba9d4511a4e2359f5fce12054cfd27373a10a7bc
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
16KB
MD50785028664f828843e1410d7a1b60e63
SHA19dd347a202cced22022aa5e6dbdbccebcdba051d
SHA2567b2e7e1fad68a89d744f9b75e097e62abd78a4c4c6719abb76a2cd0da9d16866
SHA5121deb18cdcdc8c7444028c2f5f1ad984e53f20885c2bf806d6bc0ea0ad032a7926699a937fbc2542856c8992bc800b09cc4cef4b674c0e90933c828b2663472ef
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
16KB
MD5c20266f54532c66543c2768ed61078bf
SHA1f70b8088951d2255a56781b9939eccc46425673c
SHA256903e8e1f1dd803660276f423e2493cf1cac4623bed501b3a94416fa3f61ed33c
SHA5125029a55d899293d1eee4a62c91619dfb407283551aa4f0e362f09e9e2eb81ab08249208b3f33c8422a2ba67941aca782aa26d9e6a7ad9f315303b3793a99ebdc
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State~RFe57fa5e.TMPFilesize
1KB
MD5fc20dd5e2a4be0cb84c256ad8cc0d1b3
SHA1e2380e8380cc34745a503eb8bb4098d683c13656
SHA256010c525ab3c201abcfeb0ffb30215502893df6f3eb4c5e3a032bbeb86f4ba1f8
SHA5124965129ebd5383ca32ab7bd69481a86e15c1cb285b7fa8424327ca6f4a3dc5c68ccd9814bd0cab4e1bf0ec361cd825eb6fcaed3875742f2101ce8ed79f477af6
-
memory/1028-144-0x00007FFB2B890000-0x00007FFB2B891000-memory.dmpFilesize
4KB
-
memory/2904-27-0x00007FFB2B890000-0x00007FFB2B891000-memory.dmpFilesize
4KB
-
memory/4916-167-0x000002842ABA0000-0x000002842ABC2000-memory.dmpFilesize
136KB
-
memory/5044-252-0x00007FF74E2C0000-0x00007FF74F41F000-memory.dmpFilesize
17.4MB
-
memory/5044-238-0x00007FF74E2C0000-0x00007FF74F41F000-memory.dmpFilesize
17.4MB
-
memory/5096-48-0x00007FFB2ACF0000-0x00007FFB2ACF1000-memory.dmpFilesize
4KB
-
memory/5096-47-0x00007FFB2CAD0000-0x00007FFB2CAD1000-memory.dmpFilesize
4KB
-
memory/5164-251-0x0000000000D80000-0x0000000000DED000-memory.dmpFilesize
436KB
-
memory/5164-250-0x0000000000D80000-0x0000000000DED000-memory.dmpFilesize
436KB
-
memory/5164-425-0x0000000003CE0000-0x00000000040E0000-memory.dmpFilesize
4.0MB
-
memory/5164-426-0x0000000003CE0000-0x00000000040E0000-memory.dmpFilesize
4.0MB
-
memory/5164-427-0x00007FFB2CC10000-0x00007FFB2CE05000-memory.dmpFilesize
2.0MB
-
memory/5164-429-0x0000000076810000-0x0000000076A25000-memory.dmpFilesize
2.1MB
-
memory/5948-430-0x0000000000C20000-0x0000000000C29000-memory.dmpFilesize
36KB
-
memory/5948-432-0x0000000002840000-0x0000000002C40000-memory.dmpFilesize
4.0MB
-
memory/5948-435-0x0000000076810000-0x0000000076A25000-memory.dmpFilesize
2.1MB
-
memory/5948-433-0x00007FFB2CC10000-0x00007FFB2CE05000-memory.dmpFilesize
2.0MB