hxxps://www[.]mediafire[.]com/file/ix1zxdt59pd5m1n/cryptic-installer[.]exe/file

Resubmissions

28/03/2025, 21:12

250328-z2mr5a1xc1 8

28/03/2025, 21:08

250328-zy7ywssrx5 8

Analysis

max time kernel
288s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/ix1zxdt59pd5m1n/cryptic-installer.exe/file

Score

8^/10

defense_evasion discovery execution trojan

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1092	powershell.exe
6512	powershell.exe
7144	powershell.exe
1092	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
356	4152	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
6436	cryptic-installer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cryptic-installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
486	raw.githubusercontent.com
487	raw.githubusercontent.com
488	raw.githubusercontent.com
515	raw.githubusercontent.com
537	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_1872_1961629383\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1872_217933741\_locales\en_US\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876699909669762"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{58FAE43E-F910-4096-AE6B-BC1D86CADEC2}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{83922176-E1D8-4610-875B-5EBAC06D9D63}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
7144	powershell.exe
7144	powershell.exe
7144	powershell.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
6220	msedge.exe
6220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
6280	msedgewebview2.exe
1872	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	7144	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeIncreaseQuotaPrivilege	1092	powershell.exe
Token: SeSecurityPrivilege	1092	powershell.exe
Token: SeTakeOwnershipPrivilege	1092	powershell.exe
Token: SeLoadDriverPrivilege	1092	powershell.exe
Token: SeSystemProfilePrivilege	1092	powershell.exe
Token: SeSystemtimePrivilege	1092	powershell.exe
Token: SeProfSingleProcessPrivilege	1092	powershell.exe
Token: SeIncBasePriorityPrivilege	1092	powershell.exe
Token: SeCreatePagefilePrivilege	1092	powershell.exe
Token: SeBackupPrivilege	1092	powershell.exe
Token: SeRestorePrivilege	1092	powershell.exe
Token: SeShutdownPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeSystemEnvironmentPrivilege	1092	powershell.exe
Token: SeRemoteShutdownPrivilege	1092	powershell.exe
Token: SeUndockPrivilege	1092	powershell.exe
Token: SeManageVolumePrivilege	1092	powershell.exe
Token: 33	1092	powershell.exe
Token: 34	1092	powershell.exe
Token: 35	1092	powershell.exe
Token: 36	1092	powershell.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
6436	cryptic-installer.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 5696	1872	msedge.exe	86
PID 1872 wrote to memory of 5696	1872	msedge.exe	86
PID 1872 wrote to memory of 4152	1872	msedge.exe	87
PID 1872 wrote to memory of 4152	1872	msedge.exe	87
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5648	1872	msedge.exe	88
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89
PID 1872 wrote to memory of 5852	1872	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ix1zxdt59pd5m1n/cryptic-installer.exe/file
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x260,0x7ffe1416f208,0x7ffe1416f214,0x7ffe1416f220
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1812,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2112,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2588,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4312,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3516,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=3668,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=3628,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=3432,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5536,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6424,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=4356,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6772,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7016,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=7428,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=7492 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7452,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=7436 /prefetch:8
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6412,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=8016,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8412,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=8308 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8420,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7024,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7024,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8692,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=8704 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8272,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8976,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=8680 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7300,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:6540
- C:\Users\Admin\Downloads\cryptic-installer.exe
  "C:\Users\Admin\Downloads\cryptic-installer.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of FindShellTrayWindow
  PID:6436
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cryptic-installer.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=6436.6284.3254101609608858559
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:6280
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x178,0x17c,0x180,0x154,0x188,0x7ffdef52b078,0x7ffdef52b084,0x7ffdef52b090
      4⤵
      PID:6256
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name=cryptic-installer.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1744,i,3747811265678465433,2330732940157476627,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1768 /prefetch:2
      4⤵
      PID:6640
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name=cryptic-installer.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2068,i,3747811265678465433,2330732940157476627,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:3
      4⤵
      PID:6668
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name=cryptic-installer.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2420,i,3747811265678465433,2330732940157476627,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1756 /prefetch:8
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView" --webview-exe-name=cryptic-installer.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3604,i,3747811265678465433,2330732940157476627,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
      4⤵
      PID:2824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -WindowStyle Hidden -Command " $avProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct; $foundAV = $false; foreach ($av in $avProducts) { # Skip Windows Defender as we check it separately if ($av.DisplayName -notlike '*Windows Defender*') { # Check if AV is enabled (bit 1 in productState should be 1) $hexState = [Convert]::ToString($av.ProductState, 16).PadLeft(6, '0') # Check if real-time protection is on (1) or off (0) $rtStatus = [Convert]::ToInt32($hexState.Substring(2, 2), 16) if ($rtStatus -band 0x10) { $foundAV = $true Write-Output \"enabled\" Write-Output $av.DisplayName exit } } } if (-not $foundAV) { Write-Output \"disabled\" Write-Output \"\" } "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -WindowStyle Hidden -Command "Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=8220 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7816,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=8944 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7760,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  PID:6504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=8984,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=1232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6344,i,15598690801529555690,5314809025249371331,262144 --variations-seed-version --mojo-platform-channel-handle=3236 /prefetch:8
  2⤵
  PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a192fcdd2d5fbf15b81b20e8678b7b2c

SHA1
fccc142c4e71de7616422769d943c7ab521db43e

SHA256
6fbe02d6e07d0946e6c28406c2fab3e8e6751706683a54268325da38d03a9113

SHA512
b4c15fbce8179c3516717f2db67e2b7549310a78118afd04e9cd88a5e6dfb75c4cc838b67e64db0b2fe9264075bd16cedbc744e0f64980127c9bb869448fd3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a5e9c779612fa2c167532cabe9369cef

SHA1
064c0cbc8a6ce2933e156fc24f7915fdd462fa6a

SHA256
325b610515a21ac4dc1880cc936619147d7921e75bfc3b283253a5b913b2ee4e

SHA512
91177c89c25e9bfeb62042542f85031fd8b58639a0c961c901b617be6b1b677a5715560ed03d8892cd6395fb6fc0904a0274b4d83ab8b359932fce5d397f370a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d707.TMP

Filesize
3KB

MD5
491ead5a8ee50198e3447c0240d0a8db

SHA1
756ba0359c25c6592713e921e643dea6c551ca9b

SHA256
1e07224e1368485c3976776bebedbdc1fba7004cd995f2f36a645fbfcf5811d8

SHA512
bbb80f062e7c7b63ffae52dd2cb21af27de29ed163cb0322f10c3c7c45b14ca2dd39ff3fa1f2f43b3d754ff02b551b404a3e0dd3a347f119891d88d51ae59f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\563dc718-c744-4ed4-b2f1-8856c7b98c47.tmp

Filesize
19KB

MD5
5ec99ef5213289b89fc4ab0fb1933e5e

SHA1
b8d83d7180ade849b648e977b96d61e746594937

SHA256
150f0bdbc19e151ea77a07ef3dcf3663fa2509e0e450256f242808ba1a92be71

SHA512
d5bd54717f34845e9790b525597eb7b59db8dcd0334a127e10deb21bb7e5f8ff634246be06df8f9b9088ee014fc73d6e8f4c174d9aa9abd4512f99d1a85a25de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
22KB

MD5
4df561038e00fce6715893eccecd7fc1

SHA1
b0ad4ca5c3342a14045dca83b9afbd85192fc84f

SHA256
af9c5a5146197d4d933b185bd885cb83eda0812f5e671b3beeb8f7f2641f082e

SHA512
b07f07799c61f6ba942cfe5101fc7d17906a8221e3bbb1e823819e4a9eb059d251c1ff27b5cd6998adf59183f002a9ef85d425290eece0598e8949efbeddf19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
29912fe23b942022f9f11c296ca4f1e1

SHA1
2d572ec05b9099532d767653545078ffc7207ac2

SHA256
bc5c2dc82f9295a8c9c631862d791e906113059db48b699de54a71fc6d02ba3b

SHA512
e50c38a922d6414036c523e7ddbebab453a40cbeaed14d1e82f3e810ad923d52d2e62204fe208f399e5a377dab327911e73136ed56e3305469910e78c9d54639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
a0157c8d7099004907296577b006a5ca

SHA1
4365f17d6bd150462a19ce6fe163c81f3138dcf8

SHA256
6a1c1c238054e24c9369692bf707e98199c28715840702438819ba757c24d9d0

SHA512
7a7aaac50fe5a11aa02dce27ec5f4cf508e490d2031e93479ec49af73232213e1ff9ce1ed06e5d2dfe4b8a7e8a7040fce07327c42d0d64f5505d7703f412a788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dee92d96-e090-4e13-adf0-a28de96fd592.tmp

Filesize
22KB

MD5
7e43258a3834b0719af85d24682e6b41

SHA1
0f3761b4b04533776a90c005a6bf352618141e9a

SHA256
5abc791ab3e95ce3f828462cd1d8cfdec8895968f0fc204d4f6493fd7efe12b5

SHA512
b3f9e4a5d6fe94a26c9e5a8171e37f91a388b7f66800c3a4e0515130d2746c131237ecbea69f9d8b716d060ebc41b43b7436f52ea15bd17fb644e92a49548ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\8972ac2e-b470-4c81-ac38-10c9bdf0a9ee.tmp

Filesize
437B

MD5
9d5bcb283a8a39c641738b96441c1e7e

SHA1
083de9cb386382c58f1dc25795945690bf3614db

SHA256
e2d5c7db2fee2a7e07340f8dee191a0361de985695332a129984f6af05d997d6

SHA512
d586e338d232e0d24e33271c381476e83a84be753efc5b63d3b80bb79e0a290f262b91b0237c6dec6214e2184904d7a5a0ba203a552b0d9cfa94ae6564c727f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
d65aecbb6b62fe9a053fe49a6fea5c25

SHA1
458b4a3ecf67a9f484aecb8bfd2c53f3a88e5aee

SHA256
5a8eb38f73458dd1bb57b778d2834eb92690b22756de07d8ffe0547f0022111f

SHA512
997f9c57d0734b6b97b3a0e79ffc0a37c4c52b9a7beb2a86e66fdea113bc1fe19e338f84a50db2a2e09a7a8fc8897f5dce22e46457d0e6af38e10a2184d50662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
bd9abb6764235da123b5f54bdb2a1824

SHA1
7b4d8cbf2a429b48e1d22e0a9505d65f9f3a41d5

SHA256
78a600f41a9e1bbc57d15e12e3ab76a6ccdbf9d680dd9f4432c60599cead72c5

SHA512
e029f87c2f3345f4bb0de262ac5453cb7dc871e14f5cbaaf0dc6b092c85ea993daaf31c377f965b2bc5a28e322026ae602c3a8ab020758443bba134cb7cc9e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
3733d7320c8b9da2862c08a67267c40e

SHA1
67525871c39efa1021ee53bfafc8e220ae3eed34

SHA256
db2908d56b91beb1aa79c4dcc93d51a86eb2f96423e0c746e42064c039bdd433

SHA512
3fb421925091c6883559a741b09130e534eae378d8c4d5fa0764872be9e30bc1f291346c9da5c9009030d86d92bbb489d2c578f536b333c5b39c3abc8ab25adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
a37af6616f7a44d21d4f365a2bbecd61

SHA1
14eb7473ca510eae18caa4f2d045f2fafe29f349

SHA256
7918039b74b92e07add9719904fa3788e3c535a39f9d28ac9241b8e7efab7827

SHA512
1d65cd4d9e0fc2ca3f30d65517ce31f1c6367f070bc51aee6d0e4afb5bc4a8cb51fe44856cd0a782e5e4c821c4d24167670af1ae92d1919e7807059801b5099f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
c8e7e9abdf0083bcb90cbe350271c110

SHA1
29fd949d1f011d1123478e924f50f83a95d0753b

SHA256
fa007957e2e56da0d58f9174ad699d24514134cdd15fc12f842ce2cd585845fb

SHA512
7db50114db79b81fdfad13ada61df0ecdc20bfe96e5ec4d0579f4e47cd27c4d5481c75a5741271d80a87f0d3f11631a9ac802e4ae99ad5751a61e570d60d8bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
555e68af1b8e33f84346bf2335e6191a

SHA1
fa078ed3a608f05ae2dd2db8ed52d6bafe8d510e

SHA256
91a76a2c6c73116293fb7e5bfb12b00ef8128a04fbbb44153f4fd63794b2b8ae

SHA512
6f3d5be098271b844d0cbd21d902e68ce80f0bcfa67e3fb507d11bacf15227d3e66397fec2691d7f3333194d4d2067ea416bcbb1d9739f661db3bab0259af44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m00vlvv0.lwj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\82007870-fb7c-4e93-ad79-cf1c99283992.tmp

Filesize
3KB

MD5
df1c2a565eede5c5d16f5ce41864ffbb

SHA1
d016fc3ff824470f39cfe3f33abe49909f11911c

SHA256
50f32faced4046abc7326c6a5c183f4c1ad3cebd1e978b34be171a3cc245cc7b

SHA512
72619954196fb16f5908d5f0288f67e802065bf50a2623421c99f018b238ef825cf2b89b2376d05747fcc5797527b52592e594da13c6ffc1d4e69b4d7dff23ef

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
cc85a6bb66f271952571c7b8e6a35d0b

SHA1
ae5ca5bdf03717e05b15cdeaf49bf4d9509506fe

SHA256
88e752fcc2f7bde64e9d5fe5f54ad0d707593dec881795e2d26782c8bec06495

SHA512
8d2c99538ccf757223ae59d56e40a7aa73e51e25ad30b27cad1e3a10c19cedf6e8f080e6f52c35a822d9f0a77e31512b63e7666ce9eb2bc1d9d86ab4bd5a3ca7

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
ff76648393f61abd5449c10f196c4069

SHA1
304878ff94fdd44abf339258a34f722536f30e37

SHA256
ad16ec001934cb44db6e7a14163a82bda563c334a889fd227e4b8f8e71a23ec7

SHA512
fb5d1b14d667bbca7ccc1ced84246a8cad7ff7c1b4ce71a63e4882328e2e30ddfb3e31d11bd955b457f85d425e0569b4b33e16514db56f49315ce9045f56e2a2

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Code Cache\js\index-dir\temp-index

Filesize
72B

MD5
5abc28b35a912a07367bf4957398715a

SHA1
6ee14e7b3aeb3b3778f2b1b54fceaf29d7690e4c

SHA256
d860039b19ca281f063a3cb3f8125a4bd74bb838ac8db3832863e3f33e8c07f3

SHA512
2259467e2dd54edf85b42e7b4ff5753bb2395da72d0cb1a72ed9c235e7f06353245eefa104972bffbfbcf3f3bf13cf85603eff3c7e4640e20c1b39fb53279d76

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9c8b8146ebb5cc5241f710cc006f4040

SHA1
e6f1defff2e096aca4f331ad6c492c0c02601941

SHA256
b4f2ee4a1435ba988e596f39fc412895eb4e6706da42417eed383b17040c25ec

SHA512
2b4a712fccdfbd785267aa72459e75d8e0adc88de57174068b0b7e79a16c8cd70683695aa6f3f184a41b27d698e0bfa70220596543241afbfa294a69633d6a9f

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Network\811dd611-6e47-4370-94a0-dc4f2f937d50.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State

Filesize
16KB

MD5
49bb78686f61c555e677356eda474031

SHA1
145546e81b05be3ca00e5b6dd0218af8be438ab6

SHA256
772e8be166cd376491d044d795ca623dfc2240991e61b0604b19d1e95663c877

SHA512
958fac728b51ea2fa85db98f4ea7b97ce9e2a61bfdb95a4b966c57da76a15f86128d048c0a395a8c2d5653fd97707717f2d03ab3eb25b7260f255fc8baa085dd

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State

Filesize
1KB

MD5
bcff123ea93e9f7624b8a77104821b4e

SHA1
60049da74a4ee1c6e1fa15a9229466928c40b94c

SHA256
b96895dfff2c5383d51bc4189cbaa240c6dfc286340d44ab36539814f5e3576a

SHA512
4cc1dd42eaf0473febf661627104f1674f37361d598b10a7b245f3a03161412585dfbe36f26b179e90e499c3d52e570a23e42d84c150e8e2fdbb54a81e975906

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State

Filesize
2KB

MD5
30ce18b10581083458470099c1936770

SHA1
cb08d00bd3b9dc8e3e026abb569f0025d77d4def

SHA256
649c45808f1981e6652acb14bdc89d264d77bc3aad1e6c570ed997dae45851be

SHA512
9d10b542210aa57ae631decc76ac8f6cd7ab5d3fed3b23e6eded5af5a9ddd731bf790404a9c1a3f2d687be4e77c1dd642366678852b21f47d87b60958b68fc64

Download Submit
C:\Users\Admin\AppData\Local\com.cryptic-installer.app\EBWebView\Local State~RFe57b71b.TMP

Filesize
1KB

MD5
d88b61867f6ce7e7bfd118a34a985f27

SHA1
eef1cfa04871e325e24cc56dbe0d94b4aed4eab0

SHA256
7540b87fb4185fe33c9897ce47a85f6da6e3467b7cf0d9e55bb58e5c6f7f120f

SHA512
ef02fee26e957179e19322033e41c7453c988f4fb45ed729d52d7cf51f490e5e51d964389399e2fc78981c10befd28d24c4d6133e138e3487f22a93860c9ee99

Download Submit
C:\Users\Admin\Downloads\cryptic-installer.exe

Filesize
12.0MB

MD5
17b04cb41cfb0b6999d8cf0a8d28e94d

SHA1
503123cc01869a9ea842f76589cc38428f47ec03

SHA256
1c2ec60ced172c925df46d40ed02f74ca72afc8f27a53a7691a8591c50c21c78

SHA512
fb1ca2da2f00163c0643e99ed1f4702f98dfdd3fffdf52376ca4e6378a695dd815d66b242e0b76ed5551df2e4af6df0ae6f63d96d3db596a39d5b50c6719a7a1

Download Submit
memory/1092-903-0x00000226BCD50000-0x00000226BCD74000-memory.dmp

Filesize
144KB

Download
memory/1092-902-0x00000226BCD50000-0x00000226BCD7A000-memory.dmp

Filesize
168KB

Download
memory/2824-861-0x00007FFE21D30000-0x00007FFE21D31000-memory.dmp

Filesize
4KB

Download
memory/4568-757-0x00007FFE21820000-0x00007FFE21821000-memory.dmp

Filesize
4KB

Download
memory/4568-756-0x00007FFE20F10000-0x00007FFE20F11000-memory.dmp

Filesize
4KB

Download
memory/6640-734-0x00007FFE21D30000-0x00007FFE21D31000-memory.dmp

Filesize
4KB

Download
memory/7144-878-0x000001E62FD70000-0x000001E62FD92000-memory.dmp

Filesize
136KB

Download