Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/03/2024, 22:00
240310-1w1x8sch9x 810/03/2024, 21:39
240310-1h5n9scf6s 610/03/2024, 20:24
240310-y6vsvsbf5t 8Analysis
-
max time kernel
1129s -
max time network
1146s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
10/03/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
Modrinth App_0.6.3_x64_en-US.msi
Resource
win10-20240221-en
General
-
Target
Modrinth App_0.6.3_x64_en-US.msi
-
Size
7.9MB
-
MD5
d95ca69045ee6c82c627dc8df9d862a4
-
SHA1
cc4f1c221d62c7480a732a5ed33f66f0fbe5c871
-
SHA256
0893966473603deecbbfc6afa54aff221c12442840506bdbe7b99e688e27fac9
-
SHA512
acc5d781b803e34a7a8f8edda150bce0de0b0a31b4cfa82ca142460faf835d8cf9d297b236b0a8ae44b9c94184643b8bda5e2cd783b522eeb321c5f3bce9cee4
-
SSDEEP
196608:jgVzBx4Ei4XNCud3TT+iYKJ+OkkKsmodF8bx:s94AXjT61K8O1Ksmob8b
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 760 msiexec.exe 4 760 msiexec.exe 24 1576 powershell.exe 26 1576 powershell.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3184 icacls.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Modrinth App.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 MicrosoftEdgeUpdate.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 16 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\identity_proxy\win11\identity_helper.Sparse.Stable.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\tt.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\zh-CN.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\mip_protection_sdk.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\d3dcompiler_47.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\msedge_100_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Trust Protection Lists\Sigma\Social setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\sr-Latn-RS.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\metadata setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\pt-BR.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Trust Protection Lists\Mu\Fingerprinting setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\pwahelper.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\he.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\identity_proxy\win11\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Trust Protection Lists\Mu\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\edge_feedback\mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\psuser_64.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\mip_core.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\msedge_proxy.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Trust Protection Lists\Sigma\Content setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\vi.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\msedgeupdateres_en-GB.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\dual_engine_adapter_x64.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\fi.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\fr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\nl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\hi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\identity_proxy\dev.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Trust Protection Lists\Mu\CompatExceptions setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\bn-IN.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\msedge_wer.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\onramp.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\122.0.2365.80.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\lo.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\da.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\msedgeupdateres_eu.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\ar.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source364_789563601\msedge_7z.data setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\PdfPreview\PdfPreviewHandler.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\pl.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\msedgeupdateres_ja.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\dxcompiler.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\hu.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\vcruntime140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\en-GB.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Trust Protection Lists\Mu\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\identity_proxy\win11\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\Locales\pt-BR.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\msedge.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\fr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedge_100_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\Locales\sv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.80\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\VisualElements\SmallLogoDev.png setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\MicrosoftEdgeUpdateBroker.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\msedgeupdateres_et.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\msedgeupdateres_ug.dll MicrosoftEdgeWebview2Setup.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\{E4B6FD54-752E-4499-8948-13C336BB0C8B}\ProductIcon msiexec.exe File created C:\Windows\Installer\e58968e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{E4B6FD54-752E-4499-8948-13C336BB0C8B} msiexec.exe File opened for modification C:\Windows\Installer\MSI98EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\{E4B6FD54-752E-4499-8948-13C336BB0C8B}\ProductIcon msiexec.exe File created C:\Windows\Installer\e589690.msi msiexec.exe File opened for modification C:\Windows\Installer\e58968e.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 30 IoCs
pid Process 4220 MicrosoftEdgeWebview2Setup.exe 1544 MicrosoftEdgeUpdate.exe 3180 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 68 MicrosoftEdgeUpdateComRegisterShell64.exe 3984 MicrosoftEdgeUpdateComRegisterShell64.exe 2324 MicrosoftEdgeUpdateComRegisterShell64.exe 4660 MicrosoftEdgeUpdate.exe 4104 MicrosoftEdgeUpdate.exe 3532 MicrosoftEdgeUpdate.exe 3736 MicrosoftEdgeUpdate.exe 5012 MicrosoftEdge_X64_122.0.2365.80.exe 364 setup.exe 2744 setup.exe 1528 MicrosoftEdgeUpdate.exe 2484 MicrosoftEdgeUpdate.exe 3584 MicrosoftEdgeUpdate.exe 4972 Modrinth App.exe 4352 msedgewebview2.exe 4672 msedgewebview2.exe 4900 msedgewebview2.exe 4628 msedgewebview2.exe 4416 msedgewebview2.exe 3736 msedgewebview2.exe 3956 msedgewebview2.exe 2236 msedgewebview2.exe 5052 javaw.exe 1756 msedgewebview2.exe 2636 msedgewebview2.exe 1228 msedgewebview2.exe -
Loads dropped DLL 53 IoCs
pid Process 2152 MsiExec.exe 1544 MicrosoftEdgeUpdate.exe 68 MicrosoftEdgeUpdateComRegisterShell64.exe 3960 MicrosoftEdgeUpdate.exe 3984 MicrosoftEdgeUpdateComRegisterShell64.exe 3960 MicrosoftEdgeUpdate.exe 2324 MicrosoftEdgeUpdateComRegisterShell64.exe 3960 MicrosoftEdgeUpdate.exe 3532 MicrosoftEdgeUpdate.exe 4104 MicrosoftEdgeUpdate.exe 1528 MicrosoftEdgeUpdate.exe 2152 MsiExec.exe 4972 Modrinth App.exe 4352 msedgewebview2.exe 4672 msedgewebview2.exe 4352 msedgewebview2.exe 4352 msedgewebview2.exe 4628 msedgewebview2.exe 4900 msedgewebview2.exe 4628 msedgewebview2.exe 4900 msedgewebview2.exe 4416 msedgewebview2.exe 3736 msedgewebview2.exe 4416 msedgewebview2.exe 3736 msedgewebview2.exe 3736 msedgewebview2.exe 4900 msedgewebview2.exe 4900 msedgewebview2.exe 4900 msedgewebview2.exe 4900 msedgewebview2.exe 4352 msedgewebview2.exe 4352 msedgewebview2.exe 4352 msedgewebview2.exe 3956 msedgewebview2.exe 3956 msedgewebview2.exe 3956 msedgewebview2.exe 2236 msedgewebview2.exe 2236 msedgewebview2.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 5052 javaw.exe 1756 msedgewebview2.exe 1756 msedgewebview2.exe 2636 msedgewebview2.exe 2636 msedgewebview2.exe 1228 msedgewebview2.exe 1228 msedgewebview2.exe -
Registers COM server for autorun 1 TTPs 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{983A8821-FE45-462A-919F-41A3B80645B2}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision javaw.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\45DF6B4EE25799449884313C63BBC0B8\ProductName = "Modrinth App" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{983A8821-FE45-462A-919F-41A3B80645B2}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A5F4B64-7FCB-4C1B-8133-CD01DB52BE83}\InprocHandler32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\CurVer MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{983A8821-FE45-462A-919F-41A3B80645B2}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8\45DF6B4EE25799449884313C63BBC0B8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\LocalService = "edgeupdatem" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{983A8821-FE45-462A-919F-41A3B80645B2}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\modrinth\DefaultIcon\ = "C:\\Program Files\\Modrinth App\\Modrinth App.exe,0" Modrinth App.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{983A8821-FE45-462A-919F-41A3B80645B2}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A5F4B64-7FCB-4C1B-8133-CD01DB52BE83} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{983A8821-FE45-462A-919F-41A3B80645B2}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.21\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\CLSID\ = "{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{983A8821-FE45-462A-919F-41A3B80645B2}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\ = "Update3COMClass" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E} MicrosoftEdgeUpdateComRegisterShell64.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 4012 msiexec.exe 4012 msiexec.exe 1576 powershell.exe 1576 powershell.exe 1576 powershell.exe 1544 MicrosoftEdgeUpdate.exe 1544 MicrosoftEdgeUpdate.exe 1528 MicrosoftEdgeUpdate.exe 1528 MicrosoftEdgeUpdate.exe 1528 MicrosoftEdgeUpdate.exe 1528 MicrosoftEdgeUpdate.exe 3532 MicrosoftEdgeUpdate.exe 3532 MicrosoftEdgeUpdate.exe 1544 MicrosoftEdgeUpdate.exe 1544 MicrosoftEdgeUpdate.exe 1544 MicrosoftEdgeUpdate.exe 1544 MicrosoftEdgeUpdate.exe 4352 msedgewebview2.exe 4352 msedgewebview2.exe 3956 msedgewebview2.exe 3956 msedgewebview2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 4352 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 760 msiexec.exe Token: SeIncreaseQuotaPrivilege 760 msiexec.exe Token: SeSecurityPrivilege 4012 msiexec.exe Token: SeCreateTokenPrivilege 760 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 760 msiexec.exe Token: SeLockMemoryPrivilege 760 msiexec.exe Token: SeIncreaseQuotaPrivilege 760 msiexec.exe Token: SeMachineAccountPrivilege 760 msiexec.exe Token: SeTcbPrivilege 760 msiexec.exe Token: SeSecurityPrivilege 760 msiexec.exe Token: SeTakeOwnershipPrivilege 760 msiexec.exe Token: SeLoadDriverPrivilege 760 msiexec.exe Token: SeSystemProfilePrivilege 760 msiexec.exe Token: SeSystemtimePrivilege 760 msiexec.exe Token: SeProfSingleProcessPrivilege 760 msiexec.exe Token: SeIncBasePriorityPrivilege 760 msiexec.exe Token: SeCreatePagefilePrivilege 760 msiexec.exe Token: SeCreatePermanentPrivilege 760 msiexec.exe Token: SeBackupPrivilege 760 msiexec.exe Token: SeRestorePrivilege 760 msiexec.exe Token: SeShutdownPrivilege 760 msiexec.exe Token: SeDebugPrivilege 760 msiexec.exe Token: SeAuditPrivilege 760 msiexec.exe Token: SeSystemEnvironmentPrivilege 760 msiexec.exe Token: SeChangeNotifyPrivilege 760 msiexec.exe Token: SeRemoteShutdownPrivilege 760 msiexec.exe Token: SeUndockPrivilege 760 msiexec.exe Token: SeSyncAgentPrivilege 760 msiexec.exe Token: SeEnableDelegationPrivilege 760 msiexec.exe Token: SeManageVolumePrivilege 760 msiexec.exe Token: SeImpersonatePrivilege 760 msiexec.exe Token: SeCreateGlobalPrivilege 760 msiexec.exe Token: SeCreateTokenPrivilege 760 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 760 msiexec.exe Token: SeLockMemoryPrivilege 760 msiexec.exe Token: SeIncreaseQuotaPrivilege 760 msiexec.exe Token: SeMachineAccountPrivilege 760 msiexec.exe Token: SeTcbPrivilege 760 msiexec.exe Token: SeSecurityPrivilege 760 msiexec.exe Token: SeTakeOwnershipPrivilege 760 msiexec.exe Token: SeLoadDriverPrivilege 760 msiexec.exe Token: SeSystemProfilePrivilege 760 msiexec.exe Token: SeSystemtimePrivilege 760 msiexec.exe Token: SeProfSingleProcessPrivilege 760 msiexec.exe Token: SeIncBasePriorityPrivilege 760 msiexec.exe Token: SeCreatePagefilePrivilege 760 msiexec.exe Token: SeCreatePermanentPrivilege 760 msiexec.exe Token: SeBackupPrivilege 760 msiexec.exe Token: SeRestorePrivilege 760 msiexec.exe Token: SeShutdownPrivilege 760 msiexec.exe Token: SeDebugPrivilege 760 msiexec.exe Token: SeAuditPrivilege 760 msiexec.exe Token: SeSystemEnvironmentPrivilege 760 msiexec.exe Token: SeChangeNotifyPrivilege 760 msiexec.exe Token: SeRemoteShutdownPrivilege 760 msiexec.exe Token: SeUndockPrivilege 760 msiexec.exe Token: SeSyncAgentPrivilege 760 msiexec.exe Token: SeEnableDelegationPrivilege 760 msiexec.exe Token: SeManageVolumePrivilege 760 msiexec.exe Token: SeImpersonatePrivilege 760 msiexec.exe Token: SeCreateGlobalPrivilege 760 msiexec.exe Token: SeCreateTokenPrivilege 760 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 760 msiexec.exe Token: SeLockMemoryPrivilege 760 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 760 msiexec.exe 760 msiexec.exe 4972 Modrinth App.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4012 wrote to memory of 2152 4012 msiexec.exe 73 PID 4012 wrote to memory of 2152 4012 msiexec.exe 73 PID 4012 wrote to memory of 2152 4012 msiexec.exe 73 PID 4012 wrote to memory of 432 4012 msiexec.exe 77 PID 4012 wrote to memory of 432 4012 msiexec.exe 77 PID 4012 wrote to memory of 1576 4012 msiexec.exe 79 PID 4012 wrote to memory of 1576 4012 msiexec.exe 79 PID 1576 wrote to memory of 4220 1576 powershell.exe 82 PID 1576 wrote to memory of 4220 1576 powershell.exe 82 PID 1576 wrote to memory of 4220 1576 powershell.exe 82 PID 4220 wrote to memory of 1544 4220 MicrosoftEdgeWebview2Setup.exe 83 PID 4220 wrote to memory of 1544 4220 MicrosoftEdgeWebview2Setup.exe 83 PID 4220 wrote to memory of 1544 4220 MicrosoftEdgeWebview2Setup.exe 83 PID 1544 wrote to memory of 3180 1544 MicrosoftEdgeUpdate.exe 84 PID 1544 wrote to memory of 3180 1544 MicrosoftEdgeUpdate.exe 84 PID 1544 wrote to memory of 3180 1544 MicrosoftEdgeUpdate.exe 84 PID 1544 wrote to memory of 3960 1544 MicrosoftEdgeUpdate.exe 85 PID 1544 wrote to memory of 3960 1544 MicrosoftEdgeUpdate.exe 85 PID 1544 wrote to memory of 3960 1544 MicrosoftEdgeUpdate.exe 85 PID 3960 wrote to memory of 68 3960 MicrosoftEdgeUpdate.exe 86 PID 3960 wrote to memory of 68 3960 MicrosoftEdgeUpdate.exe 86 PID 3960 wrote to memory of 3984 3960 MicrosoftEdgeUpdate.exe 87 PID 3960 wrote to memory of 3984 3960 MicrosoftEdgeUpdate.exe 87 PID 3960 wrote to memory of 2324 3960 MicrosoftEdgeUpdate.exe 88 PID 3960 wrote to memory of 2324 3960 MicrosoftEdgeUpdate.exe 88 PID 1544 wrote to memory of 4660 1544 MicrosoftEdgeUpdate.exe 89 PID 1544 wrote to memory of 4660 1544 MicrosoftEdgeUpdate.exe 89 PID 1544 wrote to memory of 4660 1544 MicrosoftEdgeUpdate.exe 89 PID 1544 wrote to memory of 4104 1544 MicrosoftEdgeUpdate.exe 91 PID 1544 wrote to memory of 4104 1544 MicrosoftEdgeUpdate.exe 91 PID 1544 wrote to memory of 4104 1544 MicrosoftEdgeUpdate.exe 91 PID 3532 wrote to memory of 3736 3532 MicrosoftEdgeUpdate.exe 93 PID 3532 wrote to memory of 3736 3532 MicrosoftEdgeUpdate.exe 93 PID 3532 wrote to memory of 3736 3532 MicrosoftEdgeUpdate.exe 93 PID 3532 wrote to memory of 5012 3532 MicrosoftEdgeUpdate.exe 96 PID 3532 wrote to memory of 5012 3532 MicrosoftEdgeUpdate.exe 96 PID 5012 wrote to memory of 364 5012 MicrosoftEdge_X64_122.0.2365.80.exe 97 PID 5012 wrote to memory of 364 5012 MicrosoftEdge_X64_122.0.2365.80.exe 97 PID 364 wrote to memory of 2744 364 setup.exe 98 PID 364 wrote to memory of 2744 364 setup.exe 98 PID 3532 wrote to memory of 2484 3532 MicrosoftEdgeUpdate.exe 103 PID 3532 wrote to memory of 2484 3532 MicrosoftEdgeUpdate.exe 103 PID 3532 wrote to memory of 2484 3532 MicrosoftEdgeUpdate.exe 103 PID 3532 wrote to memory of 3584 3532 MicrosoftEdgeUpdate.exe 104 PID 3532 wrote to memory of 3584 3532 MicrosoftEdgeUpdate.exe 104 PID 3532 wrote to memory of 3584 3532 MicrosoftEdgeUpdate.exe 104 PID 2152 wrote to memory of 4972 2152 MsiExec.exe 106 PID 2152 wrote to memory of 4972 2152 MsiExec.exe 106 PID 4972 wrote to memory of 4352 4972 Modrinth App.exe 107 PID 4972 wrote to memory of 4352 4972 Modrinth App.exe 107 PID 4352 wrote to memory of 4672 4352 msedgewebview2.exe 108 PID 4352 wrote to memory of 4672 4352 msedgewebview2.exe 108 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 PID 4352 wrote to memory of 4900 4352 msedgewebview2.exe 109 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.6.3_x64_en-US.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:760
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91B56A35CECB778892170641767F7B63 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files\Modrinth App\Modrinth App.exe"C:\Program Files\Modrinth App\Modrinth App.exe"3⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --enable-features=MojoIpcz --lang=en-US --accept-lang=en-US --mojo-named-platform-channel-pipe=4972.4676.167178532510401258694⤵
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4352 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=122.0.2365.80 --initial-client-data=0x11c,0x120,0x124,0xf8,0x12c,0x7ffbae7a5fd8,0x7ffbae7a5fe4,0x7ffbae7a5ff05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4672
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1660 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4900
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --mojo-platform-channel-handle=2272 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4628
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --mojo-platform-channel-handle=2376 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4416
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3124 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3736
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4220 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --mojo-platform-channel-handle=4272 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --mojo-platform-channel-handle=4608 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.80\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView" --webview-exe-name="Modrinth App.exe" --webview-exe-version=0.6.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=1664,i,5590936576300187563,6020484889422651722,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228
-
-
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaw.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaw.exe" -cp C:\Users\Admin\AppData\Local\Temp\.tmpSzRgvM JavaInfo4⤵PID:760
-
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exe"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -cp C:\Users\Admin\AppData\Local\Temp\.tmpAZH5P3 JavaInfo4⤵PID:4736
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M5⤵
- Modifies file permissions
PID:3184
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -cp C:\Users\Admin\AppData\Local\Temp\.tmpQgLUvB JavaInfo4⤵PID:4544
-
-
C:\Users\Admin\AppData\Roaming\com.modrinth.theseus\meta\java_versions\zulu17.48.15-ca-jre17.0.10-win_x64\bin\javaw.exe"C:\Users\Admin\AppData\Roaming\com.modrinth.theseus\meta\java_versions\zulu17.48.15-ca-jre17.0.10-win_x64\bin\javaw.exe" -cp C:\Users\Admin\AppData\Local\Temp\.tmprPyEon JavaInfo4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5052
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUBFD0.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Sets file execution options in registry
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Modifies registry class
PID:3180
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.21\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.21\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:68
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.21\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.21\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3984
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.21\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.21\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2324
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODJDRTA0MzMtRkU1QS00REFGLThDNUQtRkYyNzlDREI1NEE0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2ODhGODA5OS01NjA5LTRCMTMtOEMwQS0yNzgwMDNBQjY2OUZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTg1LjIxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTg3MDM4OTg0IiBpbnN0YWxsX3RpbWVfbXM9IjE0NjgiLz48L2FwcD48L3JlcXVlc3Q-5⤵
- Checks system information in the registry
- Executes dropped EXE
PID:4660
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{82CE0433-FE5A-4DAF-8C5D-FF279CDB54A4}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4104
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2160
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODJDRTA0MzMtRkU1QS00REFGLThDNUQtRkYyNzlDREI1NEE0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUY1RUQ2OTItNkExMS00QjRFLTlDMDQtOTNDODZBM0RCQjUzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MDg1MDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM1MzAwNjk1NzU3NTY1OTAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxNjkxNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU5NDA3MDAwNiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Drops file in System32 directory
- Checks system information in the registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3736
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\MicrosoftEdge_X64_122.0.2365.80.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\MicrosoftEdge_X64_122.0.2365.80.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\EDGEMITMP_B107B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\EDGEMITMP_B107B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\MicrosoftEdge_X64_122.0.2365.80.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\EDGEMITMP_B107B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\EDGEMITMP_B107B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C9F9131-D1A6-4A03-BE33-ACDFC160FD7B}\EDGEMITMP_B107B.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.80 --initial-client-data=0x20c,0x210,0x214,0x1e8,0x218,0x7ff78e3169a8,0x7ff78e3169b4,0x7ff78e3169c04⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2744
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0IxRDcxOTItNzJBNy00QTRFLUFCMDktRjQ3OEQ5NTQ0NDU3fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4QjZDOTUyMS1DRjg5LTRCNjAtQTI0Ri1EMEJGNUVGNTc5NDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODUuMjEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC45NSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyMi4wLjIzNjUuODAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYyNzIiIGNvaG9ydD0icnJmQDAuOTQiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9Ins2Mjk5NDgwNy1EMUJDLTQ2RTItQUI4Ni0yQUQ4RUMyQjkwQ0R9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Checks system information in the registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2484
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODJDRTA0MzMtRkU1QS00REFGLThDNUQtRkYyNzlDREI1NEE0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0Nzc0OEJGMi01Qzk4LTQyODEtOEYwMi0yRThCMzcxNTVBQUZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyMi4wLjIzNjUuODAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3MDA5NDUzMDQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzAxMTAxNDg4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODMyNzk4OTMxNiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNWQyYzdkYmYtMmZhNC00ZmM2LTg2M2EtMmFjNGY5NzM2M2Q2P1AxPTE3MTA3MTI5NzImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VVZnWWc2MlpsZTVHOTc0RjkwbW5QNUpMTVQxdGclMmJWeCUyYlRsdnhoNE9yJTJmbVV0UDRIbSUyYjVXanRyTkNCRyUyZlk4bHE5V0xudmx5aXVSY09NRjAlMmZ6UzRUTGclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzE3MDc5NjAiIHRvdGFsPSIxNzE3MDc5NjAiIGRvd25sb2FkX3RpbWVfbXM9IjI1NjM0NSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgzMjg3NzA0NTMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MzQ4NDU4NjMwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MDk2NDQ1MDEyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjAzMSIgZG93bmxvYWRfdGltZV9tcz0iMjYyNzY3IiBkb3dubG9hZGVkPSIxNzE3MDc5NjAiIHRvdGFsPSIxNzE3MDc5NjAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9Ijc0Nzk5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Drops file in System32 directory
- Checks system information in the registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3584
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Drops file in System32 directory
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b01⤵PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a60b9f256b586da105c75785bd878361
SHA1b7b96a808e67ca7b456cd09b5c0274101ef2ae34
SHA2561944a27bbb8981f2310328dc06d270ed5ef741e71efcfa21f7dd49180be8bb1f
SHA51253ce5b022f374840eb4057b591aacfaa5422dcf3b0a81fc5d8c41e171d268ea8c24f1fc167eeaeab42da1442b8dd0eed2a01215ddbcfb44da1bd275862e02b75
-
Filesize
6.8MB
MD5c7355148bfe4f8c0f4a2d64009f53888
SHA171f924decb8b7ef5ff4c6ddd2f6a0dc49a06f381
SHA256d79bab271698082da29359c71051899f23f3dd956548efe0eb8965e7c2969983
SHA512fc52ace4c524e85883ca40b8fcd2a9d25a30d99a23e0be46a7b599bea0996392990fba9cb945a6dc24ca3b65d3f61eea5ce7af9d64bac1cf13345e648fa74357
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\122.0.2365.80\MicrosoftEdge_X64_122.0.2365.80.exe
Filesize15.3MB
MD516f1e4017affaae0d2a274592024c7f0
SHA1f8cb71d291737555f5e477ada583c65d68008733
SHA2562ab4db7b517b19872db4ce234ad759f17e06c920d66d105888daa526403ccb12
SHA5128f8f75271efb1243c2233f9483c28341b0e94d790c8a3f95dcd101c76fb04d04be79735d02c8623ef6141cda16a16f24ea4aa885abcc69f05ce4f320c0adee5b
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
182KB
MD5433681ca511d96f96479ac2cca102522
SHA1321b86c79779e3685b022012a4ccae8b5f3aae19
SHA256da5f97895efb9698657ea213e6d0cab53ffe6bee32933ca2341406faf64dfcbc
SHA5127b90a0c624f9500a6aaf39c9244818d128cabc898f5e1e8a28f7a67fafb603b6906610834e172d2762703660dae2cc541d51a5b7478644faa5b6b820b6724188
-
Filesize
201KB
MD531f9e08922765ba2913632f758bc7423
SHA1b36b4bf74d6d4b6c8c0e38d9c6b65ec7da2fa9e7
SHA256c2988c13f66ce033fef65f3af20a00faf555047e710dc6c282c124c848c1eb88
SHA51213808d6b3cf8f8e645bd421eb3916b12cfcef46ab5f0ce1a0cbda91c4be374d03504ec09d1a5916ff2944cc24135cd46dc5be3e6c72fb599b30a58cf8aad7c57
-
Filesize
215KB
MD523a351591308d49bfe2625d302820715
SHA14787ceafc8492b09f85a1c8abb7e5d0c07f52e96
SHA2567610b2c0bf22563e850e185864d9244eee94c853e6595cd18ac59b6d603af651
SHA512cb266826f6ca3de75968dffebd2a3b480fd3348fa1c0b972851f1008540285cf93158555448446fb8b83f1fbff726221e05a3a18b11da0518ad65283d8eb8247
-
Filesize
261KB
MD5f5e9477194d0d7c18a7c3529a10f917c
SHA117b0f78f7c56a89ddcf2232242de8f13f0cdba18
SHA256f5c45634efa29acb9dbd1f16880737797171630c3f81fe23aea26f4dfb094323
SHA512227d890734313d4dbaed48501e6c4cd1f3d1bef403bbab1f65084ead6a32779381bd9d71eab03ca6eed332a7866030eb1fa01fcd1c28a8d7899705dde33446da
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.1MB
MD59cb2b82fbdde7133369f0d8618dba139
SHA14ac0771b6da4c435ed9ab270e4b87f5720fda0de
SHA2560aa838b27da61c7bd94e073b35cb5cf1cf0762d74ccc0214d052f7327d52ae06
SHA512002ffd9938e309693e2b4ffa3e2d3add2046f133e0f219cb5e8f898f55003815f326c98f529fddef9f7653a9a81e3ebb543f8ca034e786b25ae960c3cb2c730f
-
Filesize
28KB
MD5b02f36aca674edfd030906d8aa7d3e11
SHA1638981c1e6713e1c2ce2f551bf7326a1d48ae3c7
SHA256962a6ed3be729a924512528f6170fcec6a86bcdc37f89faf8df3e31fb2c9bf21
SHA5122b5c087c5a1a12e87b6b3ad621b9d5e0380f0a962a727bd261ab1b0ed0a40aa9d7c2500648469758889df598b86e343cb2a3f2d034d07250243a7d1e99dbdfb5
-
Filesize
24KB
MD59a1b664570e9631e6cedf8c2d662421f
SHA1d9efd018975d111a08e35fa92b1d8955dc31eb5f
SHA25652d1f080f3c41c4579603c3cca47b6667472d6b4ed787a3dd7d345ed8b3ac747
SHA51269d4b33cecc3280ba369dbdf60fae92481e8965d6640a1424ac4d72a2355f3d0c367469f638ea6296c1e508fc906f94a2987eddf9cff3ca13659113cd4c178ef
-
Filesize
26KB
MD5ff770d70c8ba319bd01ca708e2644572
SHA16b8c84053f4ae62afdc7002cb3f2e849800dcbb9
SHA256db673f6e96287e8827ffdea3ae880aebb5f1b2bc5d45bf26be6513629ed12f1b
SHA5128bdd358dcff62a0e3927202e7bcb85d374a2cc351e940707ed4d2638f4f40b3666c7741345f6c0bcfa75b9b3204c1a821dbb44458fdda95a05b0b6a253890cd1
-
Filesize
28KB
MD5009dce4ff4b372178c28397fce96a59f
SHA192277110bc332fe7863beb2ddd4e09fbc55bf81c
SHA256d333edca46076709ce749e5c55efc888e49120e27c63ffecdf3e78222ea155e5
SHA5124661f3262e7f002916530cb2c9c70d2de5297ba634ad451d4fb39870a26d1a829082995737b5c0b0911c32a20720862dd753330aeb30e993a882fb4fbb110c43
-
Filesize
29KB
MD5ef2bdeeade769996349c0a0f4a7c5872
SHA18d3944bebeca2cc674b0459c637e125df0621967
SHA2566d23e6e87ce3e847ed059781bf895c846e5e34e66083f92089cf08b403432a55
SHA512260d001693a36c7a5db55739d1781bc41b7c76a182d6761229af2723ec223b426b4b4b568544bcd1c97b2415821f2a9514a49c5483f9038438349f7dc31993b8
-
Filesize
29KB
MD57efa4d227351f5deab462bce9149d40c
SHA185cfaed5408724398f9a3584f9737ac24f4993a4
SHA256b36e0c8bb231ec5597b6a8e86379400d1c3dd2218ec8f401c53538ba7fdbc383
SHA51288dbf96fbe3b1756799f6dd9f216e26449277f0b692fcedf099ee5b8563ec2b44de967cfaac0ea7baf072992b0e24166986070811c6a752923c6894961ab3f36
-
Filesize
29KB
MD5f7d821198825ff1e2cf321d15e7033b1
SHA1fce91abf0300084e22521c81f8d194965f25f556
SHA2563518a0aafab4518df873bfe4e1c9e71e3809e092870acdb12eaacfe52c01e25a
SHA51285b196fe52121c49dddb552dfdaf3f986160b53a78523760dd94ca08cafc5ba75098a744dc5e605419c9914a111dd207d7d737afb91d73bee7ccf0cf83a8dbfb
-
Filesize
29KB
MD5a164b4c542d58d702e81e05024d95459
SHA1e034353f3b1e2afff2ec5c36b36028a94bba9567
SHA256f332fd86ea630afb90bc9d50925b25bd85037e18f186aa45c047fc179ccd77a4
SHA512f7f22ae416d949a45887e0f0f6f67f6b9518d8f5a26578365dc1bbe979f731eaacca34a53c1d55947ba9cb99697df6ea628f005701f711afbd73fc356f848893
-
Filesize
28KB
MD578bbea4a67479fad54a247e877c213c3
SHA1800c9ac56787b18fbc010cf0734b4a187d3f4a7f
SHA256beb02561cdbe2694028c2106b603661d4b7649fb4add685e5314c7c1d27f6252
SHA5128528525660df61bad32f3492659d412367ac42291be8f018ed1017d47baf205ae95b091616b0ac2b20859b1ccf504068dc4e317e176495e9021b109c97c72bc1
-
Filesize
29KB
MD564223294845556ab103ce781a07db647
SHA1988e53cba0f55e6405df02ac35f8013e79fa839f
SHA2568ff65e8754d8f33260e75d43c40b8a4b25eb7d42b85ef73ed6d67ea603c513a1
SHA51258af56f6212b055e350047b641bcf4fccc22012f70e12a4df24d5e2af0964f42ee25cce3d5c8cfb75071bb2e2f9cfde3d3142f2502a1a2cea20fad7e219e0de7
-
Filesize
30KB
MD57f21e0d781e6ca29c3912967eb920b33
SHA125f8be269cb3a1dd322de909b8d25e22919febcf
SHA256aa499ed11eb86855c85426158f198b3efb6fcf67c3b484793f34240bb04f049e
SHA512cdd78c9656aaee68306527e3a81bf6b2bb749b971342c1fe2b45230cc06d97a9ba6e6f6aa4ee50de0d5abf983b0f1d0cad3718162f046e623f2f6dda6ea87200
-
Filesize
28KB
MD57f14c4c134a48cdba2c41ad653a5fda5
SHA1a181b6f139b9e999efb74a11b3a966480c706e79
SHA2566fe845b8e932d1422935eadb0fdbbbcaecdf567778f50f6a10eee72e6ac860e8
SHA5124cfe470e0039f7452db7dacdd8512c5d873b597a583a35cf6132cef3080b3787f816022b14e067bf699bce2b142be2073dda65e9bbfb81457e8fcd8b1436e02c
-
Filesize
28KB
MD5b2d69e686d4d6401479b2cbeb5c62c77
SHA1696ddb825bd7f812c11191bb53c2c00d548d4c00
SHA25640810d25a6f9be67b000ad8228dc20e41e2b0d2223d0ae13878f265fa13bcfde
SHA512b0d877c0ea2266087b8f464efee9fa54a504ec12215d2e7f3f463081075e7128e2d9437a550773e2b703227ca952e0283f940d3a6e1325aae2784e53fb3e6a29
-
Filesize
29KB
MD55666fafa9199b490d2b20cbf2f5395f6
SHA11f43b774ef9a8fc218279dd81e437ffeb40966d1
SHA256e4bd6dc7a20b9053b9dfff7c2c6a8abded5914994d300fd1466c9b271a0bf42f
SHA512660403a3abe9a4c9ed7a1e54e5e582816c57cf3cc9a69cf67b8794e98989933d90acdea4df9dce222d82dafb92145efacfd30bae93c09193be281dc5ec634502
-
Filesize
30KB
MD579c1cef8c38d0ad8e4eac06c84accebf
SHA14092a10acc777d560f255c85b1a1437dd53a7101
SHA2565f50709f64eb3f03766e7aee5f446e8cadc1737d0f404db73f5dc447c1f77899
SHA51213cd04233e8af9c194e44d1f322aa29d156fd399717278cde1fbcac8acb1efdc4a004e5e299ff19ce8b423b3cbcf35337c27bc435a777bd60e0bc4e8417aa9c6
-
Filesize
30KB
MD50dbe7ed570d8139edfb03b022abe1b03
SHA1099e20aeaf984cfa025f017706c694a98f04e2e2
SHA25677b34e4beb5b9b9110582cf55432dd1c75d1816d5744d56c26617d44b7ba37d0
SHA512a0667ef377c52467f8c7da6627f9c06786c8134979929a60c8e248a08f44b0bbfbccbc79458db84d9c4e183446acac9e7e18a65ea4b5e8b60ee3a911d8c96a1d
-
Filesize
27KB
MD538d1b69a1f1e07a99c9df5416b7fc639
SHA1f46cca601d1cc38ddb8e93f393dbf9be909e49a8
SHA256952c6fdbcd0d333319e80d415caa91757ce759fb4d8adcff3229b134c5257244
SHA5129ce6849d6915352e746921b9e7c3222d8e99577c77405ac9d44d33d4b0d70df74bbf06d6ec750d38afa21f2824a081bb74dd271b79ee38015e4b23fdc5d840c7
-
Filesize
27KB
MD590afa78198ebd61bb588145b28f6ae28
SHA156e954a7a9d086a30c49b3fadb39108ed41008fd
SHA256900f4de13607028d1e4442d361e7e0b80670c9601cde0a634a12119b13ad1fb1
SHA512d3d5a80e06f1cdf976cff20ac840eed31034e7e7eb37ce10d58bd7a99c2a3a6db711358e32d77e8248e8f7029aee2b87b37a8ae600810c4b454ee3c08ab723e1
-
Filesize
29KB
MD5e393fa3d70aaa6dc5bef5dcd7df4ff9e
SHA1292fa091659e5954b760e75da9ac9c3d2e4ef1c2
SHA256f40ad5f9cde0853afd1834d3823bcb2a50cb358eee188b5d7a1d88b751237026
SHA512b3c879009495975f1603380d10756281ddc5a004474fefbd0fc470741f7f5b59ca8c3603d87f9bed6709a31f8eb04a7d84ca8c10db2c9d4a43487604058a3163
-
Filesize
28KB
MD510bef36b121886cb7468bb209dcc6836
SHA18b98619e4d8ade70f1f9008f6183de785b6b4509
SHA256515f0a0334db3271f84bbb288aac9b907d6c363dc1a9a6447117a7e7c967ad29
SHA5123b3a06f02d5bf5734b99ee38a249c3232b61f2a5fac837405501bd9cc9c8cbcbbb38dbadf3734a7a6b986a79ef34c7ce63c8c8fdde7d10c8bd916a13eb8f662f
-
Filesize
28KB
MD5999504016169d3caedb132c230feacc2
SHA1a0efc52f4104906ac51da46f24779358a319df8c
SHA256ec804f7507269d52785b699b4fd18a2d1a3ca7e0956dc15bac034151596b75c6
SHA512ae3b4b3c38ac6af5dc80238d0e3730ccdfd436dca6daee317b58f92cca22ea51ea2ef720e32f92693d23e8383fefccf9c46c10a148036687f0a7dd8bc844f274
-
Filesize
28KB
MD5cc332ec84b9dc507745c1833284ad4d4
SHA1acab1658ed5f20201ade23311f6436da6bc7ed73
SHA2566533a3d4e7af844763e89e3a4bf2330dc37dd2dfd6176f98720140b1f22a7830
SHA5125125af4cdefd131d79988296362e92dbed46c7ac70264a9592fbc633ea2527944745c7c3cd475b0117efb0729885b696fa7f90cbdacc04d699d6aed235482259
-
Filesize
27KB
MD5cf17425264c5d3e95ec3cc93e0cfd95b
SHA1132652c83194a66e1820ba805b0cd1060ab7c66a
SHA2560a394125c397e472932f7bcf40e2f54ca1050e0620d35ca322c6f48d80bdbf4c
SHA512f7e2408ab5560717252c0536ab652cedbc2cd17a7e6d375d7dcfbd2cd8894b4dcd71f023d2bae35237250e1cbda08385a1484550a07f13901f39e6d75e9f87e7
-
Filesize
28KB
MD53cdfa04a84ba151c6ef1e1711d90b243
SHA1d306f97bd7a3a6f620994c5c98758034a8899727
SHA2560a063456432fce42401c8362714e98ec157e9f9e5ed3eebc4d96f9b4a039167a
SHA512e02ba732feab507c478df22aacf2b8399bdbed4f937cddcde9a3c0dd38cdab0a9c434dcfa8989c1d97fdf1e9efa67b64e9dec631663bc56df0356ca2036e2cd1
-
Filesize
29KB
MD5e448e42312360c764f4eb091472aa469
SHA1b8afcc1406fcd0041c50ce858883d1a629700537
SHA256fb31e09bdf7fc834317bd9ddc3376bd1992c3eacde48ee71a133f969e20401f6
SHA5128af85244d4b24292289feb560e79f69e65dbdbf16ace5cb12fae73371630b71e3bb122bb276debbc7842d8b53b0ea3a12eb89acb51b3c8f39fb45c8337304077
-
Filesize
30KB
MD5000135745b1756a8a8d3e73140e18ac1
SHA12399c903c91bb969794a41d1a5e693e8f33125d9
SHA25692b4f9d8fb86a8aa24f929d27e76e680923717e29a88ede229abf357eec3a299
SHA512c0b3484a02888fd6323b6754d76325cbd5b48cbeaaeea91dd2ad8c2a3e74ee51294e7edbbf4725e9b00c7c589750199548444484c5d8d15ed973bb63bc8f0773
-
Filesize
30KB
MD51e41bacb6e221e7db7772bf7a9b9b228
SHA15036f8c73029b74b51da93330e5bd6be78998953
SHA256ecef2e77abe7a1e67ee7e2b1e281ff3f2b1e0cdc4ae1d96ca4e6d25730587efd
SHA51281bc5de9bf1c392c886b9d83de8e3dd290399c31504ed998a746eb2b3cc2f7c43154854973146a29e9164b2fd6df8e6bae7a63c9288c4dcb7ac9313c18289c9d
-
Filesize
28KB
MD5baab875fbcead06d6bfe0eb3325f9d1c
SHA17c770a51d93b5651f14a290858fc25a8c5458378
SHA256e2706880a1ed7cb34faef4ca0f3b2df7aa4e75d869dae74c86d750df8423c1f9
SHA512994fa0d9f9d02b1320acc5ad336e30451931a52e6a8c48b3b5d9d5179b42c68feaa14fc76cd2ce99f682f1dfad5d8ce21b87a12321fabe504eb9c0844a49fd32
-
Filesize
30KB
MD5c98c2777d3e3f5b4cdaacfac7b92233e
SHA1879cb8fb3f292c05aab59a2852daaa089b13cd00
SHA2561afc654cdc779a78ac66c08f527da746ae99197d2b4a8d23f024afabbe98434e
SHA51272ad4fd9e2f3b29f937ba0cefe6adeb85edcf26f913b5f4dcf8d7921a7cfd38fa1eef67db7c83e1ebc4714dffcc4adb9dd6ca909b2b7ebaf2827d2b2f90523c1
-
Filesize
28KB
MD564e4a461716700e7f14e7014abe9816d
SHA1cea6b0612f2dffb7e42d23629d41ffd73cbc63b8
SHA2569674903cdc0e08f18c8f071ed9fccdb8aa20184c85d48d99e8e90de4f4e33a05
SHA512f68f902cd1a3e1232401db23ab466e7a38ae09e3324bc91fd6066d19b9246dde068178b73ae5fa6cdecc420b0d3a818f183f46d280f53e8c311b063c029537f3
-
Filesize
28KB
MD52bc86512dd0753e4649fc66d72760498
SHA121d7a1ff5c5f54f9aec52b4d6dd6beb72c9988eb
SHA25601df748e21237a03eb6e9d616cf0ab2cc63272a736c8e6fefb476a2b59be3302
SHA512aa7cc40847eb65bd67c07261d48c18322d63cd7acd5d230cd93847ee7e94e879ef87e9fb96b4131af7aa45524b3c48a01c3a215bc515a2227223504045cfdc83
-
Filesize
28KB
MD53a60d0c9d26cd258b08f80daa33b0134
SHA1ea55affe72494cb0f7145644277270627d68f99f
SHA256f8647909bbfbe73c0c962eae21c45ca58717f97cfea7dad404fde52367f837b7
SHA5128e1b6e53020652f391511c8b4e64b8c12bddf5c52f869c8069349c44576520a9529bf120d377c243e5b6dbee0c37a8d9b31a0e4eaf2126b553d485e840027370
-
Filesize
29KB
MD5cabeca48e04e6bcbe4fcd9231bb70ff1
SHA1af016512f0bd3a51b38eb22c7aab8ce07a48e9f1
SHA256fc73ca5d57213643d99432389eb371e13d0217c4718aadf551677667b5f9837b
SHA512e3d1b7f9a5a4672da70090c2c63fbf1a87a27d127a538c940764b611d3e8952ffe7384bc5e103e7d5b90b216eaa595086a9bc070bc9700c7e450476be17a63e8
-
Filesize
29KB
MD5df6a438814eb75ad639cc572f123924f
SHA18aaaba665de347cadd55dce07133265e30d48510
SHA256416d5ed542c2dc6bb7219d2a76b5729ae835db4b63015a9a998a0eaddeeda1a9
SHA51202171d854bfc57845e6eb344a48c4aebd653d229ffd94d4ce1d3d76a623503c6a6b104f9323a7afd16bd0a2007a0d544d8e31f52a3e24a3ee0a4a6520f0933db
-
Filesize
27KB
MD5ef49bfeb60ee4283650932e4e50de722
SHA1e592965caf1dd2f894b24a09f2cd14294ece7d84
SHA256c49adb300b05a792e3b2d0e91d200055886acbbd26b7eaef43722ab3f5c40752
SHA5120a15abbb7f5e43425a561c91ce775ef6944044f3ea9e1dc60371189c79c4fe1cbe059ad38a7492f8b2342f1ecb5fa3a60e1643793bf9db90c21e64f1eeced079
-
Filesize
28KB
MD5333f733cabf382e901c99e1d3049f767
SHA18c858f0ad0f06f137fbc340f01831a7eccbbbaba
SHA25615fb8bbde296a384f6c9bf3acf0d8f6860e30d7dbac2c60cb928300d8464d81a
SHA51281abb4abcca78181956dab1bd8a3b9523cc38f30348675342198f2cf3394fe1366d12f8b61fba7775e8c572c45a23603eca96fe36e693ca2d5f5bee0300101c4
-
Filesize
30KB
MD520af857014bdfa8f869145dc25fdb5e5
SHA10d876e9b0abf907b4cdc0767d120504cf2ecfab5
SHA25613f6f81e6507f2304768922e81ccac99951bec4163cc576f2dc3f65b78cd08cc
SHA512992443bfe3c101270e1fe5b39d8adaf1990b46e79ea2b285fe848e6632bea2ddc6e2a1523611359518c79b0ea4ad5a228f5d778bdf78872010b67e753866ae72
-
Filesize
25KB
MD5f2b801a134d0e6016a500e7237f17fc6
SHA105135e4f7c5c2ffdf7989c761947c7f482e6f859
SHA256556146c69e56b62901e3741d606e12e766324651793c26ed75861c172a34fbf0
SHA5129fd5c3bdd6f6cf4c75869eb0c80f71f00207e3bd0a3cf1ada37ca0916018ad691d93c335faebb919de551ea7e0a0fb8c0ee4b406a573b48f6ce01a21558c555a
-
Filesize
24KB
MD57bee509a3cb93cb97a3c419ded29b379
SHA151b83ac0e624da9dd877894ddb229382c25d479b
SHA2569c24aa6f46f6bb4127a27efb46279762582909dbbe491c2fa1a621a8d9da2408
SHA5120f148229fa873878827437177717ca3be23630f62788886f53703484073d282e3204cb86aab49e493bbde2b2638bc1d6b7f05a7290b32e2b6115854774cf995b
-
Filesize
29KB
MD56e590abdacf69c0a95371ac48ab92698
SHA1f2a4a183010cafedb76c182a6149bbc313ed608e
SHA256975cb32be3ee396f0a076483206fc6a9f8d3671c439ca5aa3649d7cafc1276db
SHA512d2cabc0ae33c9ca75f6146d2c7ed3f37df03a2e6b82e7e6180a2a7bbbd32bff4fa157ec1c8d906c48445c79ad58105ac30e0217739ac21beccf13be369f0cdca
-
Filesize
28KB
MD52b4883e2c8eb6a1cc0618972ab9022bf
SHA190db614ce4217fe3703b87ce8be687e7b244da58
SHA2562815b85a065bab6aae4af23cf5c8ccb5c8f587b5ac57b9719b2fcc6343d573b8
SHA5125e86c7028fa5520fee13b29c833d5949b28bf6e803752df71b6abbe9e1fa5b43c9948e6b4956e554cd5461a101824e051e20b6762cbb418f112f938563f05e20
-
Filesize
27KB
MD519305a2fae65010d305d658338cc4ea4
SHA170fd2048440da6d411fd0ab61f441cbb706b3b11
SHA25627bb6d533b10539f18b9ac37c49d8340ad7bde91e5150981fdd317ef38bb7efb
SHA5125fa9f71e2d5f2b588935be0c1a91faec745e20992584071052cb7624637b7232fb6e5d60aa79926cf2c3ccca47f95ce494769a679259bbf2d5c98374981c61c9
-
Filesize
6.8MB
MD5f2e2c42f36ec5742d079c842530cfe2b
SHA189cc9120897ec3b185ec18722104e7bdcd1c9962
SHA2567da9a0a7d873ec4e43a640c58dc70f8ec4e8d29905c94977bc6151bd0341b4dd
SHA51235d59f808f58823449e956a6e7eb7a493340ae1155c058651def7de72fee5f616635c38d21703161ab8109a66dfe2f1038521d691ebea9fe393cd8bea2716d39
-
Filesize
280B
MD5b49a2be6ea94e4752e4201727b7f2068
SHA111b70ef1d63671ddd74624870dc25c0668e277d6
SHA256901826e33a78561fe0df06bfa4f48d59cd603b6dcedf50b8ee7ff993743c99dd
SHA512d4bd539fcbcd9f91ce18a30b73a29cffd594406dafe3db37cf25ff091e9c0c097a11da0fdd77cd0ade6cff77d9a5692f057ec61b233da60d98783992a7339973
-
Filesize
134B
MD558d3ca1189df439d0538a75912496bcf
SHA199af5b6a006a6929cc08744d1b54e3623fec2f36
SHA256a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437
SHA512afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2
-
Filesize
108B
MD55a6ec1311e0595cabc087867b3974ef0
SHA10a01317eb4d7b7b92f94a434f8914c2c64371978
SHA256dd8d46e0af72599ae64b911eeae346a8932979b6ca1d891e4b597ed8b4ea67e6
SHA5124b2fece51cc467149b4fa2209602532d881c7ac6ae30e41174583d218ee9d965100201e4ba8eb8e9f036c2f3d048d8978fa15c29bac7ce03d787a94741a2a0f4
-
Filesize
21KB
MD5d246e8dc614619ad838c649e09969503
SHA170b7cf937136e17d8cf325b7212f58cba5975b53
SHA2569dd9fba7c78050b841643e8d12e58ba9cca9084c98039f1ebff13245655652e1
SHA512736933316ee05520e7839db46da466ef94e5624ba61b414452b818b47d18dcd80d3404b750269da04912dde8f23118f6dfc9752c7bdf1afc5e07016d9c055fdb
-
Filesize
113B
MD5b6911958067e8d96526537faed1bb9ef
SHA1a47b5be4fe5bc13948f891d8f92917e3a11ebb6e
SHA256341b28d49c6b736574539180dd6de17c20831995fe29e7bc986449fbc5caa648
SHA51262802f6f6481acb8b99a21631365c50a58eaf8ffdf7d9287d492a7b815c837d6a6377342e24350805fb8a01b7e67816c333ec98dcd16854894aeb7271ea39062
-
Filesize
15KB
MD56ee0b8960d01d19b08908e9539dc8722
SHA1640d802e43c0004b04dbb2e1e6e12bdce8f25105
SHA25661ccd0d404ac0d16ea5b81f3c4cf03c31c75808c3580b48b33818c899d58175a
SHA512f04a51e02da50e7919e2d3da0defa26bf88ffa236310857360512aa36af7fd208f072bdc966b118638ca1d655b871dbb77a9ff259584ee5134c27f4685b6f856
-
Filesize
2KB
MD5b169d8d18805027d958071e678c78bcd
SHA13d00b23d7a9b191b6ef308ca058621a298d8a905
SHA256ef1f70a29e6ed86218de4cd8c4d9eb503097348b5fd1f2bd099954243c98204a
SHA51213a92a27c4e28298ed40c01701cfc8e929fc4ac0707b588f2c2d08a63912ab76d0c2ae2578d64d662fde07b53524715222039f62fa9013b0c3433e648629157a
-
Filesize
1KB
MD566a19c913b255a056e893acca4b5c259
SHA1248b433154bbceecf16323f92e41f1e7e12db9c3
SHA25643f15d21a116890519eb58f5ce4847a6ccd72d6d5095dff49007b084724929c6
SHA51281fd6333540a203961d2e6c4568f5d1c22fc330b42f4ec941a2109c63eca9a3decc857909dbad97d293228ef6aeff69ad9ca877ca996ccec7a7f8a73b74aed51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5053891bf9f414e13ca193fd601474586
SHA1c5c966f68bb99c32fdb92df311edaaa9f7f4045c
SHA256e07c7807c2ed9494f2f1968b0b76f89a3897bc3f67bc32a455a0b0beeae6c84b
SHA5124f70a30b235355aac2fa35c56b59b502171cbeee1f88aa6d4f2d12cd940930772efc788f374635d6e1ba79faf55479536478c0359513ad77db6a9e09ddc86a15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_7907B0D1F2DC082B9BA6064FC995BD36
Filesize727B
MD53554295950dcd0d74f0c2827b29202bc
SHA18816745ede576d09ee93a4295d7604906958a621
SHA2563133380c7a5b5fadb353a7976eada07d715e04e8ad3bddc9b9ea7011fffcd1a3
SHA512f68e47377fdbc4a4d19106517680300cc452ad1573526926cc71fb047c723217dc8507c1d68fbd8fd10d67e7882174941a1bb0a69c1bf69f1eccedb32e79acc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD57919a6e82e13fdbc3b9bceff3e812dd9
SHA19e7a44e513d57bd7caee81e3d53bf01d44dc06e1
SHA256e6638bbbd6c7095af8928670b9a5ee874ecc1b40778cd1226614f1db6d4e7730
SHA5126947c67e7c9a1281083ee1494ba504fa31d78c636650d7efcd12b4a16aaf78d1b077e2be3b94cf36d4fdc7fb70848ecdf76759f69b3f5c5bfe5d2563137482c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD514e2e9c9ce9faf5373afc1ef0131a4b1
SHA1d740dee8f9c1a86ac99f1766756ce5dcf4bceb57
SHA256eaa235bef8e64c09f0885e381e881194257542f8b5eba0eba0f7338362b966ba
SHA51233a57b563e0cafffbf8ad1faff1c0289e2407d291bf02b1df0f8f7c70d8e78ceb8ea5486ffc0c1d9ac53df2fae6bfdb549c449c436b2f5027031b808f83377ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_7907B0D1F2DC082B9BA6064FC995BD36
Filesize420B
MD553bdc413c59f87da33b35c69618f1092
SHA1abf91d5ebfc38514e1486156bd4ee82a560e8564
SHA25690f991e23fc4dd96cfb5a838ab49a560022e6ba40c35017c2e8edacad92e7785
SHA512623366a784c7e01ca7b14ee957e82643e62d500af57ceb51255c660fd5fe020249a2508a0836946d2a15445f6daa46f759eef9bccdeb53d21bb1946eb56a920e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD595337549939ce27512ea0edd63293eb6
SHA11ce0bc84598d430db0a996a26fb9e65dbb113ae1
SHA2563fb3dda794fccb1a1ee1d43eabbbd65e2d60f46ddb880f82420fecc6bcd201f0
SHA512117e7434a8b024da8289c55ef1eb3e9349db372cca0537077d5cefcb074643e0e494080b00ca3aa85d47a20582221cd02a1ffa344d1a64d305ad42314c3d8135
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
1.5MB
MD5afe19b551bef3007e6c67af7a3c726ef
SHA14f105cd2f045a0b107a58127b75e7818b430c3ae
SHA2560685c3054bbc59a1b1502257d0dafdf4dec22f0965ada2ea88939b4f729b795c
SHA5123d379fdf8f7d24a0032cdc89d68f8c9f4450f19b1ad36d870708a1e70bbdca1dc18ea2fa9710e25b5bcb757e23dd535b35e0212fb3b64055183930035feff01b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json
Filesize3KB
MD56bbb18bb210b0af189f5d76a65f7ad80
SHA187b804075e78af64293611a637504273fadfe718
SHA25601594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c
SHA5124788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d
-
Filesize
280B
MD5fad0dd60cb2d654452bcbc2368985046
SHA1065c0458f642a8412673906a19f6ba26b55506ec
SHA2566ff118089cea65877c8f090c14aba9c9245196295a35006cad05af8b516614f2
SHA5128a78ff1cb28e42a65f375901e8441dab2805d100a98e5985609561b3e60a70608c276caa18fe6c49b1d4427768d5ec7945a8168c32e026643edfdec96bafbd71
-
Filesize
280B
MD57ac73a8692c50920c4f1a59bb98263f8
SHA18e81e590776645301417360ade73bf273df1a4cf
SHA256a9e5dc1b5fc5a47c8f6311216fdeed20aff5b5857d4b8979deda081a29e1e718
SHA51222d52750fdf71cb44b4645285b57c8dc56ad832f3e11c6d98edc717944e24db1ade20785fcc9d118bc9a471c994b99fd1f5c2f92711ee56e79d295faa2e307a2
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5daa116db592883607b06b8842eae4acf
SHA16c735cc0997b10f249de99b4a3808dafc2fcc6f1
SHA256441a4312aa6eed9b17e228f822f021d672f51924660ffa9a73dda2c6486b12fe
SHA5123722a30a4f80df2f82ee2ffb450e2a7d917a2d5930ee648be8d7580fc22cd9c381cbf84b7673acd18ff42a3679ce59afca560f75565dd2bdf898206d550281e0
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD54bb6f0ec949ba49da598b2919d98aabd
SHA1080c01f6e036ef1b7fa0211d79e8ba13e61011a9
SHA25645dd5b5d82150cb31221ffe1c4e4a0fb5332758dff38f4551b914cf2c55d7587
SHA512140ec2284b5caf053fd8293fa2928be6e48d9adfe9deab4f0565652e28b07828416f318193b15f6005d2602292bd8cf89c22e2fb026168e1130a69b02f9fb4ae
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Network\Network Persistent State
Filesize111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Network\Network Persistent State
Filesize111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Network\Network Persistent State
Filesize1KB
MD58a572e7c0778dd710f3ef3688120ded1
SHA1c9c3d2ae7f91231fc85fba0795ef471f2bceef21
SHA25690d39e89ffd44056f178c86074f23dc991d17469acf5ae65b7230b2fa0d26603
SHA51200eef61661d8dfc3913dadc8cd5f136515694aafec1cbb7259696172ad0fb7c457822d8709ab0ba41f7ec40da61d7c3b5ebb57909d8e012d4bceaed4ad3b8567
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Network\Network Persistent State~RFe6463cb.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
846B
MD56b565bdd20e8eda8788bbf0a4ca289b9
SHA1320a9bfbef656d08878b2269837f473976cbdd38
SHA256b262f9d9d19c5f39950950b77669691a9cc6bd01515cc5e1f2e004219a8c9f41
SHA512bb704fa931f7be1dc750d2c2f7ff5d690e4ffe53fe68884a095135d60d639ff8f54bba4d03425177f2abd64488de441efbb42493619812129ed6ce58d956f4e9
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Network\TransportSecurity~RFe650599.TMP
Filesize188B
MD529ced9a2688e2a20b99d6625f71064c7
SHA1e837cc2ff96b8007aed24af28b6c3158050a01fc
SHA256821e21f79b32c5bbea4915d2dd0137c1fb520b5f19f72d7efa037a28365a2c6f
SHA512ebcc8cedec45b8a026ed94af5f5f83759c180392dda8bb3fe7c40a47e73b75cf4c273652c34cfa9fd33b81920bcbd8aa5efae7d186e54942431ec554e10d111e
-
Filesize
5KB
MD5762271a84dc60eb3fa09ab56813ba728
SHA178d50d12a764f6cac66ddf7f1dd430da7b303cd6
SHA2560295f044ac2b932542aaf02d00b31e8557a18a5d78d140aef58484a5d49a4d07
SHA5121d25d7d1c84369c16851da16ecd2e3df6d459d63a45696e9d434ed2c8f92ea3286395bcf45e4d7b7d6d882b4c65f8717cb725b8f5987463c758127677f56dac7
-
Filesize
6KB
MD5cc6c9ccbfd1527c231ba95fe3aabfdf9
SHA15d741f7441a0f5cce52a24735fd7a4fd535f7969
SHA25674222679b7abc1253458797153e8a2955ffbb2036561bfc3d112d44e52dd07f6
SHA512ce126ed448b06a1269ec64b159f20e31aad6c3e09a9acd7ba66a24031a328e7d51bbe5be666adc4a4e33038f32cd27d5dbd271a5d72e200b0f7f9d38ab768c39
-
Filesize
5KB
MD5574d73ab3a563e8503f1d3632393673d
SHA1d2e9bad2b8caf65734b6af6c3c49543b9f4ba68d
SHA256dca984a8579dad93d25704dc8f053939aa8afae177498162852c7115e68033d7
SHA51208fb48e1e0a8f215f79974997037f6e779d88c706e8b949b87a8794949d3ff1344c2098c1c43666d5d41dd67b166969db9c553a54483066a8690b733045b538d
-
Filesize
6KB
MD55ed8d799c12f96ff5e785811a26f1941
SHA143edc9ac3e4550f5eec9b197053c3b1f6dc72e3b
SHA256c30abcf831e13f861b7a4e7c0dc1a964107a6f837b427fe2f845aef024cf5129
SHA512bf1495c8689057e7a3296b7f723143fd7a631417ddefd15f93ad43440e6d17fa6f9c4ba22577eddd039244a16e0a04416c010784ca274261ef14e9c5b8fd08ae
-
Filesize
5KB
MD56bad42f27809e529f7f7a43c30085e42
SHA196bc9558f33e27772eeab2db0063ac6263649ae5
SHA2564752661aa9da507d71d8ccaf98b8f1ff4364b75fbb4820bd6ba3cdc585ab2b0a
SHA512317d15ac3e643c94895671edf54dd8547b4dd5bb8e6b30b42bec9287af346fabd2efe872a9a7bb155dfa3789c0d590ffdd126f8a020329fab6c9733652b9d0eb
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\Default\baad1cad-5840-4828-ac23-65ad8ada3a27.tmp
Filesize6KB
MD576fce35d92489846bc0d0523004b2651
SHA1e1543a67420e09726222de001843d1a548f2122e
SHA2566d13ce798d235f7fc95eb26cf7974184ed3b00f170913721307fd2a56f62350c
SHA51272e72da3d2270db6c74032dda7c64175532e55e3d1c8ad5521b1f9eb5b38a13ae15e29bac2c57a0fc0ceca902132caae9ff7e659e5ef0432ccefce3b7304485b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
3KB
MD5ec7300213d98b3fa357668966956e048
SHA1c8c6ae39c161a56202acb2fff5f43d0c52791394
SHA2560289f9ca05673175b604eb65d28d941d6cfdba88c027733ddd3447ed1bb4f951
SHA51229d3c49343c3f2587a85ee23b036c0f273532d296d1b7e7a6b7157589e9266f16622b310a6fd864aff8f41bbb137266aa276173b9aeadb73f1905f077f02df45
-
Filesize
8KB
MD51fa81764b7606d0fbfd1dd6ce4a05414
SHA1e78ea8e33b951b93229b859e74a8b49c79ec4064
SHA2560a4c860045f758a4263f69540b0e9e5bc70cdfef38f2517a559273db0530b5a2
SHA5122cfe600182d1675aa1ef57d08065dc95e5f436dc80700d70c03b65fc7874015a26cf927a544e4ec75fb1b317fafe756b070ec1e0728f41c203b66675777531f1
-
Filesize
4KB
MD5addf25e7468ce7dd472632a706bb1c17
SHA1e693a79e2f54d2def4393bdfd404c14e819318e8
SHA256a499bb9b632e19a661e4a24468c81c2f9474e043eec37564eb03dc7dd9f03319
SHA512d0fd15ef9e624fe49ffcd2fd93e4575dd6f0c818fa25c412b14c141db62e9a75ee4c21cfa902531300fde38284d21d5718896452e1ac8aa95ce61f22944f8604
-
Filesize
18KB
MD58375ee2997258a513c963c513ebaa485
SHA1d4c1ce31375e6fee3b2accf1d137bfa7465a08ad
SHA2568789e77eb2f8c0e099ab81305687e0b9592e84d033f630b66c2ffdf43884f96d
SHA512cd8f937c6bb5d4f6767a7bcb6ab4f72983c71b9c7f216f13f0a7364d9155fa7818b2dbf16e42880a8c65b42ef0f716192f524860987f3c271dc711c5ab4a4018
-
Filesize
5KB
MD53b41c6b997723bad437560a922894f44
SHA1965d967e1b7728856be19f30a01be32a19e42f65
SHA256fa38a738df5bcc8cf07db737c3454eb1bc59e666d6d59f9b3f36ba0d38186d3e
SHA5124b741928f21f6e4a594374c52260975073cc7aa1fe79700b1fc2b41babc4b248870c68c3c33c4440820b427824eb5375029bb751bf95a16e1f1242e0f82feced
-
Filesize
1KB
MD5183e4d7a0778f88f1b18c7cff215f098
SHA145fb5228195ffa2aec4f2223e6ce878e528511b2
SHA256efad309c47ceadb99eeaf0415b7c17789ceeb18dc8a4d1c5e987219eb03eec0f
SHA512afd19112a083093defb7f4a6fef2c80e52b694769a9f094c1ee5b434ec09715f0d70f30ce6a9f11339be49baa27352bd695e1353b72687aa6ad3801a418b1edd
-
Filesize
6KB
MD541d04d8371715e478903a88c1dce5b95
SHA1067052cc0c61940ee9f956a7be7db1f4938fcd1b
SHA256caf8fe15704f3d8d562956723a5729cd12f870b1a5e817740f314ee4fc2d6470
SHA512b6a239c73473593002c6be71521e63fdb8e0510bd63bf647b9b85329334409177318e316c862dae7cf2873cff6fa5301e26b3b24b56779fb51179f23f8a00a92
-
C:\Users\Admin\AppData\Local\com.modrinth.theseus\EBWebView\b2f2ced5-202e-4fdd-860a-bcd700501619.tmp
Filesize4KB
MD5134749d5f4c366e9d0d7e621ffc3fcab
SHA11797c24942cd516fb1dd380bc12897faae4cb078
SHA256d498abd50f75a1c04e87c0e3bb6a0cc96503c70b657c8a45e6e24cc2faed8e1f
SHA51209c5424666f1419dfe0d6b7b637ac8b3566c45498d4b7a5a08364c89c5db07b08c2c1d533353bee690df2a33750fd474c2057fad7e6879601083a28dca106908
-
Filesize
835KB
MD57f064cf1af289b4ce1854ca05271e57d
SHA16614e62a9ecca9f0a241dce4d3c39111831603c2
SHA256b88fa0cae0d1e994346189e86e105beb2ecf09ea1b14129f068c6b6e86ce4d3b
SHA5121d4734acea289eaa8a18328093a33467e2c30f146ca4d51b2d7aafdbec393d1810bbe15c05d8358bc5302ae04c20ae3452937aa4baa7423b8159f8d9c3ca9ea7
-
Filesize
113KB
MD51fda1cd05b95de2c7638cca1274504cb
SHA152c03065bfe91f66c611f25076dc5dd58375a5e2
SHA25678a926c14db27369e5c4fff67ba00197453220cfd854d8cde46bdfd7b5b98794
SHA512f24ebdb233c731f568b6fa757dfe016d9847c23169684e54cee087a1fd8c8ebdf1fad03da28fa0490bdc8e119e1e521d17595379d5d28fcecbf02bfbc7b03811
-
C:\Users\Admin\AppData\Roaming\com.modrinth.theseus\meta\java_versions\zulu17.48.15-ca-jre17.0.10-win_x64\legal\java.datatransfer\LICENSE
Filesize33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
C:\Users\Admin\AppData\Roaming\com.modrinth.theseus\meta\java_versions\zulu17.48.15-ca-jre17.0.10-win_x64\legal\java.scripting\ADDITIONAL_LICENSE_INFO
Filesize49B
MD519c9d1d2aad61ce9cb8fb7f20ef1ca98
SHA12db86ab706d9b73feeb51a904be03b63bee92baf
SHA256ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9
SHA5127ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b
-
C:\Users\Admin\AppData\Roaming\com.modrinth.theseus\meta\java_versions\zulu17.48.15-ca-jre17.0.10-win_x64\legal\java.scripting\ASSEMBLY_EXCEPTION
Filesize44B
MD57caf4cdbb99569deb047c20f1aad47c4
SHA124e7497426d27fe3c17774242883ccbed8f54b4d
SHA256b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a
SHA512a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619
-
Filesize
6.5MB
MD59c114f9b44157779e629cc3bfff91e90
SHA19080587b9623f73ae11f57d6bba6b27d8ca5f35d
SHA256e60bba052cb57b1eb1a73326848cc7b1e35edba175ebbc67958f44d59107bccf
SHA512e422f9a00d0ec92a738bb9910d724c5b879d8477e6a2b993fd76b3467df2b91b1868d3c7e1485db10f4fd5f8beb71ef9dbac06694723eb7a624d99293b51ec12
-
Filesize
15.9MB
MD5f0cff27db82fd3ff9cfb5fe46c47a84e
SHA17f25c29534b402550f901c3586610c6ef143b628
SHA256f9f3b257f8ed8b0dcf0e9e375bd03835ede565ec36bd5b56d6e351a016061dec
SHA512138a30fbf265448a8e956a388a763850847feca902a3fc0527c37dde5b91aa2ae0dc91a0a0013141f9b72040d8bbc81e32dd326cf0168972f8f3e37d134e649d
-
\??\Volume{d608f836-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b9efa534-96cc-4719-bc37-bd3a3a97e441}_OnDiskSnapshotProp
Filesize5KB
MD5e3c296dc3b004c31faef9224f4173ebb
SHA1ea8ab3ab0bcbe947897509278c0c25ec3a84cb84
SHA256ed70193e82e1d03d6ef06c383007d96d0354b211aaa5b07cb9c1986b633a1477
SHA5121a3aeb2c5d99695e168841385e2e53071a4d3379df79fa579852d4e5c7be10c3258e4f4ce812da46aea8228bd2efefefdda5b475a8616bfe097716b110c00cf9