Overview

overview

10

Static

static

3

Cryptic Installer.exe

windows10-ltsc 2021-x64

8

Cryptic Installer.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    531s
  • max time network
    505s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/02/2025, 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cryptic Installer.exe

  • Size

    12.1MB

  • MD5

    26115ce9c0aa825be82c500004825308

  • SHA1

    0883c65e4c063b61647865d58cd3a3d46324365b

  • SHA256

    909fdfeef66f20a0ce6275b334f8eec552f50222c0acb9f759f01a2c8c418d4b

  • SHA512

    1368efd81bd46c02703e39008b19635ebd3c9ea98b32d7ac3b90f11b09c286d9b45511dd1aee3e9f6998ee7ecb7f81c9f2cdb9ccea142cf09cdc6ebbaa5882d4

  • SSDEEP

    98304:b1FLZ04/tavoCAifjWKqgpvlYFDU2f8u06rA7BxMooQlititz12d:XT/taACAiCWvlYr8u0JrgQli6

Score
10/10
meduzadefense_evasiondiscoveryexecutionstealertrojan

Malware Config

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 1 IoCs
  • Meduza family
    meduza
  • Command and Scripting Interpreter: PowerShell 1 TTPs 56 IoCs

    Run Powershell and hide display window.

    execution
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in Windows directory 64 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cryptic Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Cryptic Installer.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=1752.3944.13223495273981076502
      2⤵
      • Drops file in Windows directory
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:248
      • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x168,0x16c,0x170,0x144,0x128,0x7ff82894b078,0x7ff82894b084,0x7ff82894b090
        3⤵
          PID:3164
        • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
          "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1704,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2
          3⤵
            PID:3540
          • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
            "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2012,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:11
            3⤵
              PID:3284
            • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
              "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2268,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:13
              3⤵
                PID:4224
              • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3576,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
                3⤵
                  PID:2100
                • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4736,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4740 /prefetch:14
                  3⤵
                    PID:3116
                  • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4780,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:14
                    3⤵
                      PID:3568
                    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4728,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:10
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:920
                    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4804,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4544 /prefetch:14
                      3⤵
                        PID:4552
                      • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=3916,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:14
                        3⤵
                          PID:1136
                        • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                          "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name="Cryptic Installer.exe" --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2176,i,10731470746917076884,9943125730898247598,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:14
                          3⤵
                            PID:1280
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3580
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4084
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2432
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4992
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1136
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4084
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2880
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3160
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2252
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3984
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1544
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4296
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like '*Microsoft Visual C++*2015-2022*' -and $_.Name -like '*64*' } # Also check registry as a fallback since Win32_Product is not always reliable $regKeys = @( 'HKLM:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64', 'HKLM:\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.29,bundle' ) $regInstalled = $false foreach ($key in $regKeys) { if (Test-Path $key) { $regInstalled = $true break } } if ($app -or $regInstalled) { Write-Output 'true' } else { Write-Output 'false' } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4488
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1532
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5056
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1908
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1212
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1620
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3832
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3332
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1908
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2372
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2988
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1168
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1180
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3580
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1856
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2544
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2944
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1300
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2496
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:3872
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:3412
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:2756
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:3280
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:4852
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:2440
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -WindowStyle Hidden -Command " $app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like '*Microsoft Visual C++*2015-2022*' -and $_.Name -like '*64*' } # Also check registry as a fallback since Win32_Product is not always reliable $regKeys = @( 'HKLM:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64', 'HKLM:\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.29,bundle' ) $regInstalled = $false foreach ($key in $regKeys) { if (Test-Path $key) { $regInstalled = $true break } } if ($app -or $regInstalled) { Write-Output 'true' } else { Write-Output 'false' } "
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:3056
                      • C:\Windows\system32\msiexec.exe
                        C:\Windows\system32\msiexec.exe /V
                        1⤵
                          PID:196

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          627073ee3ca9676911bee35548eff2b8

                          SHA1

                          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                          SHA256

                          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                          SHA512

                          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          f26711711c8cf9f06fcfd506a47bf18e

                          SHA1

                          4bc2b2f57b1dadde2c03f59b9ae7d03ef8bcaee3

                          SHA256

                          c41adb15342c2b2b5535ad4190a36989dac8b2df02de5ba3868378543973395f

                          SHA512

                          370a37c3514ab7a655e87dfce78d236705609d17a708a3e3a80f7861936a29c9245ebeada9fd715a7eebf891a83f9c19aae1da8dfd51c5f162f0cc6c520f79b8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          2e8eb51096d6f6781456fef7df731d97

                          SHA1

                          ec2aaf851a618fb43c3d040a13a71997c25bda43

                          SHA256

                          96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                          SHA512

                          0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          f2d41520cc5ac42a38f0c63774d08c0e

                          SHA1

                          bcd80f3a1e13e2c39fe427b3a6b95784e89ad258

                          SHA256

                          46f67b03a01a1cf8cd45bf4b0e161ca47f1d25df9a9ea9c874ea432efffcd401

                          SHA512

                          b8646e2b3e8bcef2c02e8fd78d7a12410855f0ceba8ce6461540c5a58d7e1616fe341d3d7fa3a7a84455ff8e751ac848f6c597d3ba68b8f21da9571ee32abdab

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          887db354067a3f391d5061c51a2a4403

                          SHA1

                          fb70e28f312552aeee85e668770e1a4fa72b990c

                          SHA256

                          7e347d9b179afb2345fc296a514ffc8c88b2f62ee3c8b9c68e276a6a7600bbed

                          SHA512

                          bb51308af4075023df56136129f6ea9107b24e60c2da0725e2385321c51b2fd2c41fafba5a53bb1d7c1521f57f5b442d9a768782042cb22d07c937ff483d1340

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          b96a1cc082f12b1867be38fe1afd38d9

                          SHA1

                          1fdf460333df2b80fa9b2ed31765a832598deac9

                          SHA256

                          c37f91ad84b4d8040da95f6f2c1228563f24af6df0a4565d9ee1c4568db5893f

                          SHA512

                          ed6c2d4d678355d6d28c1ee30b2a6fdd8053ea0d61da2259bc28acb2371918efcf8589281870e778053aea8424f1b9363c81b04d61a832314be2b5692ad5dec6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          aa4f31835d07347297d35862c9045f4a

                          SHA1

                          83e728008935d30f98e5480fba4fbccf10cefb05

                          SHA256

                          99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

                          SHA512

                          ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          150797b495e7d5dfbc5a45488c2f5905

                          SHA1

                          8230e6e08be7c6814c6ae7285ee2cc5c665b594d

                          SHA256

                          602c7b125a5a3204d9979e46fe78f33c8b6d5ba7fd94898ee02aa4984d53a369

                          SHA512

                          cf1e7766130f2bd9df049a04329c2860785d8403b884117e5295387e25fff0c572bedcbc6d1a9bb8904a69a7e1bd3e237ec0a8211e1d1800f220f56271962e0e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          45ec48768ac3c5347b6d70bcf37ae0bb

                          SHA1

                          a2ac0fdc4bb6b2f9ba7da5c9ba340f96af2d26b2

                          SHA256

                          6c8acd3314d0bd3cc8e48f24d4a6a9e06d2218dcda5f92c4a6cc415f8c47a1e7

                          SHA512

                          f783b3812efb04dcccaef26e55dd62c91a2da52b09f31cc3588017913a50b3f559bee6859ea9e93d7ab75efa7b50ebe7c478c48d5381b712d642362660c31244

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          3dfe27895714b9475f9a19e4e50e29d0

                          SHA1

                          0e3cf9e95b566e3811db865116b9af746db18a03

                          SHA256

                          ee56bbf3b82cef48191fb43d447c55000ae1ccda579f36537c2d34092684779a

                          SHA512

                          3708e1281f51ab26bdf81ce2a5439ceb139d1c06cc80ef7f1b5ad09f0116f10b5b504a4c7e463aaeff17a0cab023aa06f75665821edfe14c0abfcbefeee75f88

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          1a9fa92a4f2e2ec9e244d43a6a4f8fb9

                          SHA1

                          9910190edfaccece1dfcc1d92e357772f5dae8f7

                          SHA256

                          0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

                          SHA512

                          5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          5b7efe71c044f258ca7bce8412a6324c

                          SHA1

                          5d46a211bec2e9e6691ceefe83b6edd7ca1734f5

                          SHA256

                          596f173d4fe40513340f6009ac72d04c2e26b536a8a7290207deeb037ce5f7d1

                          SHA512

                          be5f26ffa6666ea7354d4d706462683b69b864ccde1a9298de3818b0152a9070a92af8e3871c198ac881b6b31517fc2bce49c52f86d3f64041996c469777bc80

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          7ccaa040184ff857ea1c304ca2de37de

                          SHA1

                          f695974446d705932722361e385855d6ae3ee374

                          SHA256

                          44b36f954ad53ee3931ab38559d1fd92c6aa9a6153152142bf1414cebf8776ba

                          SHA512

                          509904e5b768cf5942f1a7892826cd44705f5e1c9f45bca188c9824b4b30fb6058d75b7637cba46ab13d2f2c27642056e175f4bf044848711320568fd05cd3bd

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          5baadd116b2e2c95dfede60549484b14

                          SHA1

                          f0147118bbdb4499aef1158e01cbb88e278f98d0

                          SHA256

                          dd9dcb11773690e9edbca7f2bdf4908b0ea229cceb885911c6fde979e59a12c2

                          SHA512

                          10ce5f43fe784951fef93a2ca5eef88dbe7065e9305acaebfdcc3d891640808c6bf3a540a4943bca02801a159bd0cf63ccc7779d65aed110aa24b7ab44b0366d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          3885d34d7a25be78e72941ad8e0c5386

                          SHA1

                          9bb0e11c9ecbde5af1fd83fac6bf743501646461

                          SHA256

                          434c23f782d0d8911684c8e7896b937293ee99483d4959ad5df06f1f36d1b64b

                          SHA512

                          6c0a609f1be3394cb590381f74e850f9ea266554f88386584c71bd348e156579c204df58efa15844a7707540d0c8db2174028f3e94fca9829a0a6252630e2950

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          e3840d9bcedfe7017e49ee5d05bd1c46

                          SHA1

                          272620fb2605bd196df471d62db4b2d280a363c6

                          SHA256

                          3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                          SHA512

                          76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          2d82c1309e40008582c07710cbce9469

                          SHA1

                          7d14dd17b80fa60bf107f0dfbd58f4b5dd0d58fc

                          SHA256

                          54b3700fc083ee200aaef7bb96e07eba0fd8508c29c42e827574e7762002c89e

                          SHA512

                          21b237954714b30fd842a4d9fd4a17af3acbe19f8ddeec1d00e375fce42afb88fa70436dbf64fef51db3e4deae7e6d8dcd4f0af74cd4231e84a606e9d56751af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          6903d57eed54e89b68ebb957928d1b99

                          SHA1

                          fade011fbf2e4bc044d41e380cf70bd6a9f73212

                          SHA256

                          36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

                          SHA512

                          c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          a749d760d5909634843e8c04bb9ff7e5

                          SHA1

                          c427add9de654f1a5a43be3f4ff5adf008c8d3c1

                          SHA256

                          ee401ccfd1f02279d85e2ff923977478fb936af9d7a56bc17cf5daa2929ffab4

                          SHA512

                          fc30ecbbc33ea810732908b3aaaa1ab52b275e42de75c342eab34f4741db59d22bc5096938135b5220c48748f12b50c8a6a3e5396a89b0f4409a148b8b029124

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          b00bdc6cc7697f6238eea275a9df0e4a

                          SHA1

                          b58b725a2980d71bb614ba5480ec0f6a72ff1524

                          SHA256

                          2c9cee14234e7a1824d9c323ac03e51efc8439f106e5a254e0fc37ee01bd474b

                          SHA512

                          932f2e06b2d83abd20f66ae03c8eacdefd1776193be54b1bd6066e5dc4bb0fb0320786c2d3a91f70057909190ed4f97b87156ea7fae7fdc441fec8b513a17d6b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          31ec318dc530774282576099bbc3b86f

                          SHA1

                          ed073f6d37180952997f6479c1ab26f00b1868bb

                          SHA256

                          65176abcf2c2539ef157436e0922dc696c008ead874769e8de3d5886ccd8601a

                          SHA512

                          cfcbf053cf780d3fa0042a7bc3b531c98b641f711a478cf78bd3070f7c8eddaac0788cecc43712dd0fabf93c95b2616615032c9998b042f6f66c9f4985d1bf09

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          0fdbcc7a471f56a3b50f965e163c4f6f

                          SHA1

                          217ad11d3e60cb02926b9a596c03801f58e4aa1d

                          SHA256

                          b39f9edbf1cfb1f11a5f5a1311b1ca3229e4509ad36f0db4fbddd8c218e6395a

                          SHA512

                          1269a90ee1d0dfd66fd1ce7b63a705d05070ae80bc7465f1902a2ef18b5cf271abbf8cfc99d5ae5db10aeee99e20d239e23cce98d8cbae5912d54afc1211a7a5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          b631cd4cbd57efd154aa9fa99d39280c

                          SHA1

                          1e142e860e55ec1890f544a8fbe03cbd175c77be

                          SHA256

                          d42db619e13de8a82e8416bb8d2dd99b6a80931a8824981e9df0f00afe43c890

                          SHA512

                          ca3b7c81c6a3776a79929e4342dc1812f22048c1038d3bc1db9578b78fb44aa56f735c6846dc05f700556dbb9d1db61a40740d857cd9b98073db7f4e3d6877b3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          2e73e4de7650911ee0f937892e46251b

                          SHA1

                          913025d87aa39b21fb87f91a82739a4816e04de3

                          SHA256

                          cc8fa20f7b71631489e91e67c83b9ea7097ec03ec5924854f2089bab08649264

                          SHA512

                          78ce69629fd6a878c6ee5d42aaa34347d90119b13434f77610acc1d356ff58086a6d244823b1695c3a11b215a6ec8ab7788339708ce612c8087bfedc7a152b6f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          2bf9a04724585785229a6f23713554bc

                          SHA1

                          e9a630c3ca1d8e93befd9f52804f692384835143

                          SHA256

                          000b44ec9a9a83ec876a54476b53a158333329c9e509ce343bc650b4661c61d0

                          SHA512

                          e7deb488fcbce83ef3bebc69ff61bc080ba1284258ab7e445751901891ab796fb229976627d84afbfd2c56f4ea7f8da3d4b79f51ed9460ecfe377b15ccfeb8fa

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          865fbaf791eabb7991bd101042f78dce

                          SHA1

                          105313c69bd295c327a09d9eca3bc34c2c67878e

                          SHA256

                          490a86dc18e77994a431c17890d7647a44d4010fdf672df83266129eb10943eb

                          SHA512

                          47441c5efaa95192f1c44f0813c6f1ff01b97bfca4fd9b2a809ffdb26d40f503de0952675105b60dac074b3608a9ca61f53bfd5c9b4fe52d179394e3bd2a479f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          24e5ddb0e755d2795d3abc811673f776

                          SHA1

                          b07c1cdb8130201f3c1c2392fa5b8ef8f08fa518

                          SHA256

                          aee439b38c1274bc3ae3d02c0b0da013adff6ac07889df5213a3e6bb10a85ef2

                          SHA512

                          f12100233d34a541afcceeda5086d174cb46c622a0b954f9e46e6d1e38f16d7f28255d5ff490947fafac6854609fdcc5223ada3d5f7ed7c063c972b08fd92e72

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zxtifqy.b0r.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\4daed2d2-6d1b-445a-ab8c-82d8bbac8c17.tmp
                          Filesize

                          1KB

                          MD5

                          b0c9a54d0fc9e27bf1aa33982378d7cc

                          SHA1

                          91f059df3904b5d03173a785c56a372e2f4507b0

                          SHA256

                          f175592e9e838b24943e9c58a6365653b70541cce39ea8d2abcf34cf71e65875

                          SHA512

                          c6e7cbe4b71d29443dfe03feb49a23fd4f8b29cd0a2bb14dd73cf75585684cf77561bf4f571c1b137e10851685abe363a5d0ba83b855afc44a7b2f9eba672192

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad\settings.dat
                          Filesize

                          280B

                          MD5

                          01c03b91a6963599737439ceeb4eb7ce

                          SHA1

                          3c30997c311bd7d80d047292b563338eb26be895

                          SHA256

                          e2d88ae97e894f14b537ba4ecbfed043fb156f54858621ae7f17d30b19b2e20f

                          SHA512

                          22e8feb5ecc11341df6a3772c9cd70accaf98f4e64c74b66db69fd2c2a1ceedc8e24801c0be0a27410fb461a052be6d42b40448f621ddf3d3981d68dade29f7c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad\settings.dat
                          Filesize

                          280B

                          MD5

                          9a1f00f92590d61cb7a3710d91e44686

                          SHA1

                          b6395c3e544f74a6b03768000032dabf1af2ed33

                          SHA256

                          85dabf19a8252c104fed3c6c51a30c5b9ffcf4a817b4e1062665a19e06f6cb6f

                          SHA512

                          e00d69ba38195ca18385b8fa01634f102c65824d700d23d83803f7fb3362c3ddb26dd750e418aa21ba1d7d5fe53eb30d7629a55b150c24d8f6c0e340be385458

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad\throttle_store.dat
                          Filesize

                          20B

                          MD5

                          9e4e94633b73f4a7680240a0ffd6cd2c

                          SHA1

                          e68e02453ce22736169a56fdb59043d33668368f

                          SHA256

                          41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                          SHA512

                          193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          48B

                          MD5

                          d8cb7a898d71bfb1679cff650d733111

                          SHA1

                          bc61e970ec4b9352e14c7552029dfe435489c157

                          SHA256

                          b199e507fdd37d14a562ff50861845302f44415581d2e7e3ef48ebd3196dc184

                          SHA512

                          3b2ef3d8ed0fae63d7f3e2461d1b544c0768a0fdb3ef65fb1c7f0cc651564f9d45f85a0fbce30e24ef84dc5dac15a2de3905702f2b50be5114ff435b20bc0633

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          72B

                          MD5

                          b6ba11e24a7d13819dd1c8e5921f96ff

                          SHA1

                          b7011f13ae96e100e5a6d3d68f1863c77f5b4e29

                          SHA256

                          d59d577ccbff979741ef69fea2e4b3e3f8fea886d8eaf00c437a9207c50c0b29

                          SHA512

                          bcbd9095ffc5210150b71b51c242ce8d2457537ad2ba2853ff2526dbf4920deee2d7aeeca27e494bf330c3086b4651af15431ed284c1b2850b8ae34a113159f0

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_0
                          Filesize

                          8KB

                          MD5

                          cf89d16bb9107c631daabf0c0ee58efb

                          SHA1

                          3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                          SHA256

                          d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                          SHA512

                          8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_1
                          Filesize

                          264KB

                          MD5

                          d0d388f3865d0523e451d6ba0be34cc4

                          SHA1

                          8571c6a52aacc2747c048e3419e5657b74612995

                          SHA256

                          902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                          SHA512

                          376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_2
                          Filesize

                          8KB

                          MD5

                          0962291d6d367570bee5454721c17e11

                          SHA1

                          59d10a893ef321a706a9255176761366115bedcb

                          SHA256

                          ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                          SHA512

                          f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_3
                          Filesize

                          8KB

                          MD5

                          41876349cb12d6db992f1309f22df3f0

                          SHA1

                          5cf26b3420fc0302cd0a71e8d029739b8765be27

                          SHA256

                          e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                          SHA512

                          e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Extension Rules\MANIFEST-000001
                          Filesize

                          41B

                          MD5

                          5af87dfd673ba2115e2fcf5cfdb727ab

                          SHA1

                          d5b5bbf396dc291274584ef71f444f420b6056f1

                          SHA256

                          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                          SHA512

                          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Network\Network Persistent State
                          Filesize

                          111B

                          MD5

                          285252a2f6327d41eab203dc2f402c67

                          SHA1

                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                          SHA256

                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                          SHA512

                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Network\Network Persistent State~RFe58b699.TMP
                          Filesize

                          59B

                          MD5

                          2800881c775077e1c4b6e06bf4676de4

                          SHA1

                          2873631068c8b3b9495638c865915be822442c8b

                          SHA256

                          226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                          SHA512

                          e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          9d1b98784c524319ceb83631bfe1dc07

                          SHA1

                          278ef7ec61d303117b5000f45947ff8366d1e721

                          SHA256

                          d6c8ef60b4dc22591ce5c3612748557f63a46c446edc162e2bcee359f56cadf5

                          SHA512

                          7315ae1ee4c66d37e39ff0827b82faf65e8f54e9d19524ab5fb881df4dbaae64dcba93919c8e708cf675063246856c1947a591ac629cb6fc449dc769dcaeb211

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Preferences~RFe582fb6.TMP
                          Filesize

                          6KB

                          MD5

                          2ee441ddc8abc2de6a22bee1aa6d90c2

                          SHA1

                          a82ccb82ca6776f803f11fb544ca4b894cda4784

                          SHA256

                          cef7b1beffcfc7f70ea8b7bd6ec8fde484cc2c869205d6c4f79ac98026e3e146

                          SHA512

                          7def3ac94ed2993b4c0caa791768c2a197fb077542bfdfcb423c4da8a5a36113d3a28e8cd4619acfbb88dd31ccb260ac1a3e2bfe4fd188b92772d431f99c75d9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Sync Data\LevelDB\CURRENT
                          Filesize

                          16B

                          MD5

                          46295cac801e5d4857d09837238a6394

                          SHA1

                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                          SHA256

                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                          SHA512

                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State
                          Filesize

                          2KB

                          MD5

                          c9b02ba88eedb065e9cf09002cb92f5f

                          SHA1

                          b3a4d197a07d373f3cb29011a227086052c814fa

                          SHA256

                          c8bde7a00d1a583be099db56384a7fb5ccd9b41dff15bb58479dce8fefba4b40

                          SHA512

                          a447e76e9b17d48d257084663a8e523f41b1514867121aa678ef78990a170f75d3ef2a68a8678de059d37b9b9468df8e9e2f65cba9a8c0010b17c039a4b26c50

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State
                          Filesize

                          3KB

                          MD5

                          5bf8da49492b70f30923bf394508e2e6

                          SHA1

                          2f0a0ac27a2fc20f4273670c025a56e78b28e3c7

                          SHA256

                          89305c5c96d58fde0470070fa0bbed72d8924e5f3c81e0fb240b2af39e86fd60

                          SHA512

                          7ecb2a3821e55503c9f248e3e441e36327decd2ccfc058921d513c27f2e7698d416721ec32bed85d5301c238884e0ed4b6c33ab5013695ae7fbaa27999d5b0a7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State
                          Filesize

                          16KB

                          MD5

                          4f9c5593de277cc3b11ee336102c5412

                          SHA1

                          c5106c7e4086432d775cf85b7d33e055c29bf477

                          SHA256

                          c329bfb645c72276194ce0c889ce09635b12e0d46dc8852a74395eb9e52818eb

                          SHA512

                          3b191e673e518f692a925fcae63f565224dd646e674cd8117f971f3cea3cf88e1b3b0e4421bb75aec526747cd778d2284484a4b3b52cb92538356e6c3e45de3b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State
                          Filesize

                          16KB

                          MD5

                          0375caaf6d7ca72d2eb06fa7a8690610

                          SHA1

                          e4b77064ff09ec946344bc44f8545d340abe2bb2

                          SHA256

                          003dd10f013056096c399148cbac2ff41eda975564de09122e22b5ee4f90244c

                          SHA512

                          869583d6e631094801ff984306aa6afa531a23b36762c261358a4ad7ac63f151f1e420583b97bcecbf7da53032ddff96f956c0b92005d2d1fd64cdcaf0eb52b6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State
                          Filesize

                          18KB

                          MD5

                          63d30feae2c8c514d10d46a58306eae3

                          SHA1

                          083ed4ffcd59606a03944ee930a6f2f100262869

                          SHA256

                          76a6187b75e5647071c25c774fd431b89298ffa1693fdd59e98bbe535bb56675

                          SHA512

                          f12003c30a6501dea444b83b576f2126b8b40e6da0bd7a53d44790af279ad2c49e3fd28159409017e3169764e3a030437a26b55fe48d7cfa821d4e67a4dd0e8b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State
                          Filesize

                          18KB

                          MD5

                          4cfdca1e6a8a00bf7a24934af1c7f75e

                          SHA1

                          5c3b3e520fdff9ad1dd0fd66e20651581f22a867

                          SHA256

                          0c193dbcca61de1d1e47748512190133393e382ffa27857a90583b154d29c1d4

                          SHA512

                          e2065e2e29d5b5e3dd8fe44666ed8495bfd7d18f091f628d2a1d9715bc03698b3cb800addeb35a7a2e5bef4c12a38019982fe579cc1e5809a34a6594c38ad0b8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State~RFe579069.TMP
                          Filesize

                          1KB

                          MD5

                          ffb83ec1ce4b4606c7437aad228e6e5d

                          SHA1

                          bbaebd20fcee5d5eec1d8b3433019bcdce734c5f

                          SHA256

                          35c0b5464c7dd9110ae31fee36c5d3cf9eed3edb0dbd70d00c899d3f004165e6

                          SHA512

                          8bf8561c3fe4aaf405e9c67abe74bef2000b151dea73931e7fa94027ce58759f25fc22ce0cafbb0082796c64008754c6f11db19765dbb8b09ed13e978232134c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules
                          Filesize

                          1.8MB

                          MD5

                          d7c9c6d2e1d9ae242d68a8316f41198c

                          SHA1

                          8d2ddccc88a10468e5bffad1bd377be82d053357

                          SHA256

                          f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

                          SHA512

                          7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE
                          Filesize

                          24KB

                          MD5

                          aad9405766b20014ab3beb08b99536de

                          SHA1

                          486a379bdfeecdc99ed3f4617f35ae65babe9d47

                          SHA256

                          ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

                          SHA512

                          bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

                          Download Submit

                        • C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\TrustTokenKeyCommitments\2024.12.14.1\keys.json
                          Filesize

                          6KB

                          MD5

                          b4434830c4bd318dba6bd8cc29c9f023

                          SHA1

                          a0f238822610c70cdf22fe08c8c4bc185cbec61e

                          SHA256

                          272e290d97184d1ac0f4e4799893cb503fba8ed6c8c503767e70458cbda32070

                          SHA512

                          f2549945965757488ecd07e46249e426525c8fe771f9939f009819183ab909d1e79cbb3aeca4f937e799556b83e891bbb0858b60f31ec7e8d2d8fbb4cb00b335

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_1070731860\manifest.json
                          Filesize

                          80B

                          MD5

                          9e72659142381870c3c7dfe447d0e58e

                          SHA1

                          ba27ed169d5af065dabde081179476beb7e11de2

                          SHA256

                          72bab493c5583527591dd6599b3c902bade214399309b0d610907e33275b8dc2

                          SHA512

                          b887eb30c09fa3c87945b83d8dbddceee286011a1582c10b5b3cc7a4731b7fa7cb3689cb61bfead385c95902cab397d0aa26bc26086d17ce414a4f40f0e16a01

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_1329066376\manifest.json
                          Filesize

                          116B

                          MD5

                          2188c7ec4e86e29013803d6b85b0d5bb

                          SHA1

                          5a9b4a91c63e0013f661dfc472edb01385d0e3ce

                          SHA256

                          ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

                          SHA512

                          37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_1397451268\manifest.json
                          Filesize

                          76B

                          MD5

                          ba25fcf816a017558d3434583e9746b8

                          SHA1

                          be05c87f7adf6b21273a4e94b3592618b6a4a624

                          SHA256

                          0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

                          SHA512

                          3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_1593593167\crl-set
                          Filesize

                          21KB

                          MD5

                          846feb52bd6829102a780ec0da74ab04

                          SHA1

                          dd98409b49f0cd1f9d0028962d7276860579fb54

                          SHA256

                          124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

                          SHA512

                          c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_1593593167\manifest.json
                          Filesize

                          114B

                          MD5

                          e6cd92ad3b3ab9cb3d325f3c4b7559aa

                          SHA1

                          0704d57b52cf55674524a5278ed4f7ba1e19ca0c

                          SHA256

                          63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

                          SHA512

                          172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_407651607\hyph-as.hyb
                          Filesize

                          703B

                          MD5

                          8961fdd3db036dd43002659a4e4a7365

                          SHA1

                          7b2fa321d50d5417e6c8d48145e86d15b7ff8321

                          SHA256

                          c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

                          SHA512

                          531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_407651607\hyph-hi.hyb
                          Filesize

                          687B

                          MD5

                          0807cf29fc4c5d7d87c1689eb2e0baaa

                          SHA1

                          d0914fb069469d47a36d339ca70164253fccf022

                          SHA256

                          f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

                          SHA512

                          5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_407651607\hyph-nb.hyb
                          Filesize

                          141KB

                          MD5

                          677edd1a17d50f0bd11783f58725d0e7

                          SHA1

                          98fedc5862c78f3b03daed1ff9efbe5e31c205ee

                          SHA256

                          c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

                          SHA512

                          c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

                          Download Submit

                        • C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping248_407651607\manifest.json
                          Filesize

                          82B

                          MD5

                          2617c38bed67a4190fc499142b6f2867

                          SHA1

                          a37f0251cd6be0a6983d9a04193b773f86d31da1

                          SHA256

                          d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

                          SHA512

                          b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

                          Download Submit

                        • memory/920-667-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-666-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-659-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-657-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-669-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-668-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-658-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-663-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-664-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/920-665-0x000001E7E6430000-0x000001E7E6431000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2100-137-0x00007FF836AF0000-0x00007FF836AF1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3540-26-0x00007FF836AF0000-0x00007FF836AF1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3580-167-0x00000298D4D40000-0x00000298D4D62000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/4084-181-0x00000243F8210000-0x00000243F823A000-memory.dmp

                          Filesize

                          168KB

                          Download

                        • memory/4084-182-0x00000243F8210000-0x00000243F8234000-memory.dmp

                          Filesize

                          144KB

                          Download