Analysis
-
max time kernel
209s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
NcCrack-Loader.zip
Resource
win10v2004-20240611-en
General
-
Target
NcCrack-Loader.zip
-
Size
12.8MB
-
MD5
18e398f15f5f2adbc5c0d8481f8a5100
-
SHA1
8f092c32b221ff1256e079cbc5ff606cffc0ff09
-
SHA256
380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1
-
SHA512
c1825c7de4cba4e01a0d5d7a1c9b851f3d5467dc90623d26f9287467327c15959158ffb3ab776a4c24a5084b4b25e509978e2d88e9b1b7499fb25d8580fd0058
-
SSDEEP
393216:PQdfQ2QnNgnxIvrbNOGcPHaNH1C7z7mI26Bkjf+OugZFdw4V16gvp:POfQ/Ngx6oGt1C7fw6BPg5T1FR
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
BitLockerToGo.exedescription pid process target process PID 5860 created 2756 5860 BitLockerToGo.exe sihost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid process 5520 driver1.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
NcCrack Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum NcCrack Loader.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 NcCrack Loader.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver1.exedescription pid process target process PID 5520 set thread context of 5860 5520 driver1.exe BitLockerToGo.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5092 5860 WerFault.exe BitLockerToGo.exe 5836 5860 WerFault.exe BitLockerToGo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedgewebview2.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 87 Go-http-client/1.1 HTTP User-Agent header 89 Go-http-client/1.1 HTTP User-Agent header 90 Go-http-client/1.1 -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedgewebview2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedgewebview2.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635492346563288" msedgewebview2.exe -
Modifies registry class 1 IoCs
Processes:
mspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings mspaint.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5976 WINWORD.EXE 5976 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exetaskmgr.exeBitLockerToGo.exedialer.exepid process 5704 powershell.exe 5704 powershell.exe 5704 powershell.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 5860 BitLockerToGo.exe 5860 BitLockerToGo.exe 5692 dialer.exe 5692 dialer.exe 5692 dialer.exe 5692 dialer.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 516 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
msedgewebview2.exepid process 1812 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 5604 wmic.exe Token: SeSecurityPrivilege 5604 wmic.exe Token: SeTakeOwnershipPrivilege 5604 wmic.exe Token: SeLoadDriverPrivilege 5604 wmic.exe Token: SeSystemProfilePrivilege 5604 wmic.exe Token: SeSystemtimePrivilege 5604 wmic.exe Token: SeProfSingleProcessPrivilege 5604 wmic.exe Token: SeIncBasePriorityPrivilege 5604 wmic.exe Token: SeCreatePagefilePrivilege 5604 wmic.exe Token: SeBackupPrivilege 5604 wmic.exe Token: SeRestorePrivilege 5604 wmic.exe Token: SeShutdownPrivilege 5604 wmic.exe Token: SeDebugPrivilege 5604 wmic.exe Token: SeSystemEnvironmentPrivilege 5604 wmic.exe Token: SeRemoteShutdownPrivilege 5604 wmic.exe Token: SeUndockPrivilege 5604 wmic.exe Token: SeManageVolumePrivilege 5604 wmic.exe Token: 33 5604 wmic.exe Token: 34 5604 wmic.exe Token: 35 5604 wmic.exe Token: 36 5604 wmic.exe Token: SeIncreaseQuotaPrivilege 5604 wmic.exe Token: SeSecurityPrivilege 5604 wmic.exe Token: SeTakeOwnershipPrivilege 5604 wmic.exe Token: SeLoadDriverPrivilege 5604 wmic.exe Token: SeSystemProfilePrivilege 5604 wmic.exe Token: SeSystemtimePrivilege 5604 wmic.exe Token: SeProfSingleProcessPrivilege 5604 wmic.exe Token: SeIncBasePriorityPrivilege 5604 wmic.exe Token: SeCreatePagefilePrivilege 5604 wmic.exe Token: SeBackupPrivilege 5604 wmic.exe Token: SeRestorePrivilege 5604 wmic.exe Token: SeShutdownPrivilege 5604 wmic.exe Token: SeDebugPrivilege 5604 wmic.exe Token: SeSystemEnvironmentPrivilege 5604 wmic.exe Token: SeRemoteShutdownPrivilege 5604 wmic.exe Token: SeUndockPrivilege 5604 wmic.exe Token: SeManageVolumePrivilege 5604 wmic.exe Token: 33 5604 wmic.exe Token: 34 5604 wmic.exe Token: 35 5604 wmic.exe Token: 36 5604 wmic.exe Token: SeDebugPrivilege 5704 powershell.exe Token: SeIncreaseQuotaPrivilege 5888 wmic.exe Token: SeSecurityPrivilege 5888 wmic.exe Token: SeTakeOwnershipPrivilege 5888 wmic.exe Token: SeLoadDriverPrivilege 5888 wmic.exe Token: SeSystemProfilePrivilege 5888 wmic.exe Token: SeSystemtimePrivilege 5888 wmic.exe Token: SeProfSingleProcessPrivilege 5888 wmic.exe Token: SeIncBasePriorityPrivilege 5888 wmic.exe Token: SeCreatePagefilePrivilege 5888 wmic.exe Token: SeBackupPrivilege 5888 wmic.exe Token: SeRestorePrivilege 5888 wmic.exe Token: SeShutdownPrivilege 5888 wmic.exe Token: SeDebugPrivilege 5888 wmic.exe Token: SeSystemEnvironmentPrivilege 5888 wmic.exe Token: SeRemoteShutdownPrivilege 5888 wmic.exe Token: SeUndockPrivilege 5888 wmic.exe Token: SeManageVolumePrivilege 5888 wmic.exe Token: 33 5888 wmic.exe Token: 34 5888 wmic.exe Token: 35 5888 wmic.exe Token: 36 5888 wmic.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
Processes:
taskmgr.exepid process 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe -
Suspicious use of SendNotifyMessage 57 IoCs
Processes:
taskmgr.exepid process 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe 516 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
mspaint.exeOpenWith.exeWINWORD.EXEpid process 5760 mspaint.exe 5464 OpenWith.exe 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE 5976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NcCrack Loader.exemsedgewebview2.exedescription pid process target process PID 4132 wrote to memory of 1812 4132 NcCrack Loader.exe msedgewebview2.exe PID 4132 wrote to memory of 1812 4132 NcCrack Loader.exe msedgewebview2.exe PID 1812 wrote to memory of 1596 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 1596 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3196 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3412 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 3412 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe PID 1812 wrote to memory of 2052 1812 msedgewebview2.exe msedgewebview2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NcCrack-Loader.zip1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3028,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Users\Admin\Desktop\NcCrack-Loader\NcCrack Loader.exe"C:\Users\Admin\Desktop\NcCrack-Loader\NcCrack Loader.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="NcCrack Loader.exe" --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4132.3328.23611150588095009622⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x178,0x17c,0x180,0x154,0x18c,0x7ffd4bb84ef8,0x7ffd4bb84f04,0x7ffd4bb84f103⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1380,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2072 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2336,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView" --webview-exe-name="NcCrack Loader.exe" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3540,i,745599559462392256,1768358856231652549,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:13⤵
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 4644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 4564⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5860 -ip 58601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5860 -ip 58601⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SetRedo.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\UninstallConvert.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\driver1.exeFilesize
17.0MB
MD5c963419be29c357b22c3c14bc6cffdda
SHA1e3bfd027a2833c05fd87ad6bfb3301cd36dbb400
SHA256824d60bbe20868c5b89cf76f17fb4dd477dffb5a3c5f87b0eea0f009a04717de
SHA512ce68ba3426fa66e7d9822c9eb574ec344f144956b7bcb58e610ecfc5ef2509bea8e4bdbe16b3ca3699d324957f13ffd1771cbc6895a2afc3d99b81b075665f34
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbresFilesize
2KB
MD51e6aac6a0d5aab97b2881f64495146f6
SHA1a9feaa1b49861e152a2185b337190e5d9798e832
SHA2567945533e1b79b5df9efb4d75cdbf8937f7ed83386d40ec93ed7e3d1f66abbf3d
SHA5129564942962546b6d06b12c71a62b5e9bd3120f136e8c2ce7507e670cb8434e5e176e36382023adacf05a1ac4afa0d9e56d70d1f5e8ed7f7b0be841845c7311c6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_24dvierq.uyb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.datFilesize
280B
MD5321e1859469cc338c28e49adb423dfbd
SHA1a0c5548b378df67149feebd9c16fb67f075e8187
SHA256a75cfa91d7c8d657405ee31d2dd62e9c91903954379849808519ffec1edb42f4
SHA512d36ca1d9149a5bf57933752b142860f13ad1a128806b14a8401373f0296b9edfc1357442e977de6c0a9f785c5183a398b67eb80baaaf3b1f2404f66c796678dc
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\settings.datFilesize
280B
MD555c535220fbec81b7a0a733f92d87902
SHA1233688829349debb9248c4018e7ac094a703daeb
SHA256fcd7b0a57a2253f67a0c6d1a37f7ee318d5366447ead6e8189d7b1e7c4369166
SHA5123e9b2d065726f17893261ffe7979b620808cd95a186ff2f3dc1007ec12a3dd69d3d7b3e334e63fd03af543836866adc7a167827f213fec641e060c402b15892c
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Crashpad\throttle_store.datFilesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\02621d49-81f7-444f-b4c2-f6d9e9c9534d.tmpFilesize
6KB
MD56a4a9dfeb9b340e594ba6190b2bfd098
SHA17c6d25ab999a219774ba4444432ab986de875c6d
SHA25685bfde1f0e45b9971eeb7160e454d70dcd7fbaf8abebb5a2e174f688e7e93902
SHA51287a5cb1d148b44554d2c550170cc87af0c4b286ba2ff941fb7c6ab1070790739ba025a440dbe117b685a395c87fe87301be3a441094c0afcae110956c6c15a16
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD569ae6a20c31e976570fb28f42baf7145
SHA18478512f36cc03b3b2bee64a4e5ac7a6ae5b4ef0
SHA256c77b0787c87ea428531a3b707fd1c9166e89c973251fdc8a504d5221e583f1c7
SHA5126d88d207b410091395fc4b1e836f2664487d7f50fc4ed01cc752135a4277d33b4e447cf455399241aaa00b49d48cdea89a3f804574db06fb262fe7bc6234d93b
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe59f776.TMPFilesize
48B
MD569473d9538603ec631de16b65b0bd99c
SHA1d0a9c442f7c86b08142e5f16b72f26bc737cd7ed
SHA256e929b11951c6c48aa19a27d4b619e085f68013f25cc4e02bf66a27c707a5405d
SHA51213665c0e22e9b9908bd28ac201e4554c5bb0b0f1341548552f448f12607e25859737325b39dc91039867e74b7910ca0724709ba8e6f1ad674d4a1f37d9cb2d36
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_1Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\DawnWebGPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Extension Rules\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\Network Persistent State~RFe5a3394.TMPFilesize
59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\PreferencesFilesize
6KB
MD5496a0c9356a51d49e9260e289fdfa7fd
SHA1dc9688e74b024a9f7104a9b1f97c4f1da62e6f54
SHA256e087e89005c54572636f3b7745dedf61b3adfc8dcaff00b4d7adc5fdfdf0ce0f
SHA512bc43b3cfa6b3de6d35f50adbd6c978aa437425033fb36b3226aeb8ba983b22fce3f22ae0c0ff18e350e501c540b5900af5c407abf926c993f84d2672b05e9700
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Default\Sync Data\LevelDB\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
1KB
MD55c772606ee5f36c05dc1e91590c4348d
SHA1ec1c8a6c7c40247767d648634ff3484bf9c75157
SHA256f595fdcce4a90e1e6e0049ce85696bc2d251b20a3490d3e35ef29a3472e1fe36
SHA512a79bc1f331f8b9751d4153b1bdef1f7e1ab30de2dd06873166295e4c39465e6fcf66c579849439b0873d20ff7d9bec448c994ba0e7cedf5bd44eefed14c3a8d0
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
2KB
MD5ac34fc4d6de472e341c89fb61ae19d9c
SHA170679047b65314dd99015e102e0b3377b6cbb0c8
SHA256e55401e2c1cb54fff73fe4e0538c4ae0338c37b862bbd472fc9b9bf78b6d62f2
SHA512386d118b698e577358684dab60608abb317406d0b0c54ca3abb2a39b97a91d2ab63be3c9995549727c54c1efeeb1d78ea34338cb91512b28fa75bd6d7ce97e2c
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
3KB
MD54f3d6740f284a680e7df872f5200ef7a
SHA15e307a589586b17cfdb289a36167c4606d11e0f5
SHA256b0e5c5f8c39800c52b2655297890adb14fe34ffc638849ef254b1646ca8a2682
SHA51245fd0607386b268202c0df38fbe443b1577a036ccf3fa8e5737fe9f87fb5cb8f54a9d47570ceab306e4ad6e769f6e159f428764e06ae7a5414c4a9fdff8adfc2
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
16KB
MD59bf2f69b4dad6433472ac786c6be14cb
SHA15b6a25147d7103952fc1dcc87851c81e10933b9a
SHA25675a4924e41f0eb93900f80e08ac357574706c888e033a892e0961f9774e072a2
SHA512bba1ceaad4c882a9dd1f210b02e50ece0296b0df13cceb25c431be60bc5c6836c6c901ba0c8d13a18e414d39c00d83b294e77708ba51acb80c01a49ad7b4cea3
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local StateFilesize
16KB
MD5c47337f686c9103085d54a52b9299d6f
SHA1328d9a4f61168636c96e98d71d9f90d12737ef37
SHA256b22b400fef977735bd57bc5126bb256c4866d35b3cbb5962c2aec0a9d64b6d4f
SHA5129edeb6b7f6ad9dee68f68ac15c9961d7a2f87e0ec39487bb7cbc8d636c8274838dd993d8bf7999ec4501b624e25b3ce330935901c2ffda289b2d61140cba8a3c
-
C:\Users\Admin\AppData\Roaming\NcCrack Loader.exe\EBWebView\Local State~RFe59a5ac.TMPFilesize
1KB
MD5fae1db9bda702784f4e5537cf09fbca0
SHA1f1cc256d5335c613ebf966e830d6fa127fe0532f
SHA256e94331564544c4dcd06e68474ceb2e3f83202f25394854defc76b90a50376485
SHA5129cd14009936240220604234b4adf979d4505c8afa131415129286b4e656c2f6269616c9954309c0a654710ebd97594f33919b94d05edc2900e6f01e6efbd5475
-
\??\pipe\crashpad_1812_QBTMZLCWEFKJNWPSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/516-214-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-206-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-217-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-216-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-215-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-212-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-213-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-218-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-207-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/516-208-0x0000024EF8BF0000-0x0000024EF8BF1000-memory.dmpFilesize
4KB
-
memory/2052-80-0x00007FFD706F0000-0x00007FFD706F1000-memory.dmpFilesize
4KB
-
memory/2052-79-0x00007FFD70C50000-0x00007FFD70C51000-memory.dmpFilesize
4KB
-
memory/3196-26-0x00007FFD71EF0000-0x00007FFD71EF1000-memory.dmpFilesize
4KB
-
memory/3196-205-0x0000022E22280000-0x0000022E22395000-memory.dmpFilesize
1.1MB
-
memory/3196-431-0x0000022E22280000-0x0000022E22395000-memory.dmpFilesize
1.1MB
-
memory/5328-149-0x00007FFD71EF0000-0x00007FFD71EF1000-memory.dmpFilesize
4KB
-
memory/5520-267-0x00007FF6A84A0000-0x00007FF6A95FF000-memory.dmpFilesize
17.4MB
-
memory/5520-262-0x00007FF6A84A0000-0x00007FF6A95FF000-memory.dmpFilesize
17.4MB
-
memory/5692-441-0x0000000000A80000-0x0000000000A89000-memory.dmpFilesize
36KB
-
memory/5692-446-0x0000000077010000-0x0000000077225000-memory.dmpFilesize
2.1MB
-
memory/5692-444-0x00007FFD72670000-0x00007FFD72865000-memory.dmpFilesize
2.0MB
-
memory/5692-443-0x00000000026F0000-0x0000000002AF0000-memory.dmpFilesize
4.0MB
-
memory/5704-169-0x00000200F1590000-0x00000200F15B2000-memory.dmpFilesize
136KB
-
memory/5824-460-0x0000019293200000-0x0000019293201000-memory.dmpFilesize
4KB
-
memory/5824-464-0x0000019293290000-0x0000019293291000-memory.dmpFilesize
4KB
-
memory/5824-466-0x00000192932A0000-0x00000192932A1000-memory.dmpFilesize
4KB
-
memory/5824-465-0x00000192932A0000-0x00000192932A1000-memory.dmpFilesize
4KB
-
memory/5824-463-0x0000019293290000-0x0000019293291000-memory.dmpFilesize
4KB
-
memory/5824-451-0x000001928AEA0000-0x000001928AEB0000-memory.dmpFilesize
64KB
-
memory/5824-447-0x000001928AE60000-0x000001928AE70000-memory.dmpFilesize
64KB
-
memory/5824-458-0x0000019293180000-0x0000019293181000-memory.dmpFilesize
4KB
-
memory/5824-462-0x0000019293200000-0x0000019293201000-memory.dmpFilesize
4KB
-
memory/5860-268-0x0000000000E30000-0x0000000000E9D000-memory.dmpFilesize
436KB
-
memory/5860-436-0x0000000003C90000-0x0000000004090000-memory.dmpFilesize
4.0MB
-
memory/5860-440-0x0000000077010000-0x0000000077225000-memory.dmpFilesize
2.1MB
-
memory/5860-437-0x0000000003C90000-0x0000000004090000-memory.dmpFilesize
4.0MB
-
memory/5860-438-0x00007FFD72670000-0x00007FFD72865000-memory.dmpFilesize
2.0MB
-
memory/5860-266-0x0000000000E30000-0x0000000000E9D000-memory.dmpFilesize
436KB
-
memory/5976-469-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/5976-468-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/5976-471-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/5976-472-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/5976-473-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmpFilesize
64KB
-
memory/5976-474-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmpFilesize
64KB
-
memory/5976-470-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB