b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

Analysis

max time kernel
81s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Modrinth App_0.7.1_x64_en-US.msi
Size

5.0MB
MD5

5003486a784143bc96c3577172bbb44a
SHA1

9a960998807126041fae5b4fe9488d7ff3c5ca42
SHA256

b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59
SHA512

3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19
SSDEEP

98304:fNT+6HE4ThcGalSS9d+udj3mYcCqQcgT3XV8tEbETvsDHaLqV710ZZ9rPzrPW:1/HMlS2JxmYcmcg7XGqb6Msq51GP

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2064	powershell.exe
2064	powershell.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2096	msiexec.exe
5	2096	msiexec.exe
7	2096	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Modrinth App\Modrinth App.exe	msiexec.exe
File created	C:\Program Files\Modrinth App\Uninstall Modrinth App.lnk	msiexec.exe
File opened for modification	C:\Program Files\Modrinth App\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76565b.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76565a.msi	msiexec.exe
File created	C:\Windows\Installer\f76565b.ipi	msiexec.exe
File created	C:\Windows\Installer\{67E35770-3BE7-49CB-BE18-C8626CE846EE}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\f76565d.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76565a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5775.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{67E35770-3BE7-49CB-BE18-C8626CE846EE}\ProductIcon	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
2488	MsiExec.exe
2664	msiexec.exe
2664	msiexec.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\SupportedTypes\.mrpack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\shell	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\ = "Modrinth File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07753E767EB3BC94EB818C26C68E64EE\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07753E767EB3BC94EB818C26C68E64EE\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\SupportedTypes	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\MRPACK File = "Modrinth Modpack Installer"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\OpenWithList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\PackageName = "Modrinth App_0.7.1_x64_en-US.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\OpenWithList\theseus	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\SupportedTypes	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\theseus.mrpack.Document\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\OpenWithProgids\theseus.mrpack.Document	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\shell\open\command\ = "\"C:\\Program Files\\Modrinth App\\Modrinth App.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\ = "theseus.mrpack.Document"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\Content Type = "application/mrpack"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\ProductIcon = "C:\\Windows\\Installer\\{67E35770-3BE7-49CB-BE18-C8626CE846EE}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07753E767EB3BC94EB818C26C68E64EE\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\theseus.mrpack.Document\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\OpenWithList\theseus	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\OpenWithList\theseus\	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mrpack\shell\open\FriendlyAppName = "theseus"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\theseus.mrpack.Document	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\PackageCode = "9F5B067CAC472804384C216F3BA639BB"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\theseus.mrpack.Document\shell\open\ = "Open"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\07753E767EB3BC94EB818C26C68E64EE	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrpack\OpenWithList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2664	msiexec.exe
2664	msiexec.exe
2064	powershell.exe
1028	chrome.exe
1028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeSecurityPrivilege	2664	msiexec.exe
Token: SeCreateTokenPrivilege	2096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2096	msiexec.exe
Token: SeLockMemoryPrivilege	2096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2096	msiexec.exe
Token: SeMachineAccountPrivilege	2096	msiexec.exe
Token: SeTcbPrivilege	2096	msiexec.exe
Token: SeSecurityPrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeLoadDriverPrivilege	2096	msiexec.exe
Token: SeSystemProfilePrivilege	2096	msiexec.exe
Token: SeSystemtimePrivilege	2096	msiexec.exe
Token: SeProfSingleProcessPrivilege	2096	msiexec.exe
Token: SeIncBasePriorityPrivilege	2096	msiexec.exe
Token: SeCreatePagefilePrivilege	2096	msiexec.exe
Token: SeCreatePermanentPrivilege	2096	msiexec.exe
Token: SeBackupPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeShutdownPrivilege	2096	msiexec.exe
Token: SeDebugPrivilege	2096	msiexec.exe
Token: SeAuditPrivilege	2096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2096	msiexec.exe
Token: SeChangeNotifyPrivilege	2096	msiexec.exe
Token: SeRemoteShutdownPrivilege	2096	msiexec.exe
Token: SeUndockPrivilege	2096	msiexec.exe
Token: SeSyncAgentPrivilege	2096	msiexec.exe
Token: SeEnableDelegationPrivilege	2096	msiexec.exe
Token: SeManageVolumePrivilege	2096	msiexec.exe
Token: SeImpersonatePrivilege	2096	msiexec.exe
Token: SeCreateGlobalPrivilege	2096	msiexec.exe
Token: SeCreateTokenPrivilege	2096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2096	msiexec.exe
Token: SeLockMemoryPrivilege	2096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2096	msiexec.exe
Token: SeMachineAccountPrivilege	2096	msiexec.exe
Token: SeTcbPrivilege	2096	msiexec.exe
Token: SeSecurityPrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeLoadDriverPrivilege	2096	msiexec.exe
Token: SeSystemProfilePrivilege	2096	msiexec.exe
Token: SeSystemtimePrivilege	2096	msiexec.exe
Token: SeProfSingleProcessPrivilege	2096	msiexec.exe
Token: SeIncBasePriorityPrivilege	2096	msiexec.exe
Token: SeCreatePagefilePrivilege	2096	msiexec.exe
Token: SeCreatePermanentPrivilege	2096	msiexec.exe
Token: SeBackupPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeShutdownPrivilege	2096	msiexec.exe
Token: SeDebugPrivilege	2096	msiexec.exe
Token: SeAuditPrivilege	2096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2096	msiexec.exe
Token: SeChangeNotifyPrivilege	2096	msiexec.exe
Token: SeRemoteShutdownPrivilege	2096	msiexec.exe
Token: SeUndockPrivilege	2096	msiexec.exe
Token: SeSyncAgentPrivilege	2096	msiexec.exe
Token: SeEnableDelegationPrivilege	2096	msiexec.exe
Token: SeManageVolumePrivilege	2096	msiexec.exe
Token: SeImpersonatePrivilege	2096	msiexec.exe
Token: SeCreateGlobalPrivilege	2096	msiexec.exe
Token: SeCreateTokenPrivilege	2096	msiexec.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2096	msiexec.exe
2096	msiexec.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2488	2664	msiexec.exe	29
PID 2664 wrote to memory of 2064	2664	msiexec.exe	33
PID 2664 wrote to memory of 2064	2664	msiexec.exe	33
PID 2664 wrote to memory of 2064	2664	msiexec.exe	33
PID 1028 wrote to memory of 3036	1028	chrome.exe	39
PID 1028 wrote to memory of 3036	1028	chrome.exe	39
PID 1028 wrote to memory of 3036	1028	chrome.exe	39
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 872	1028	chrome.exe	41
PID 1028 wrote to memory of 2164	1028	chrome.exe	42
PID 1028 wrote to memory of 2164	1028	chrome.exe	42
PID 1028 wrote to memory of 2164	1028	chrome.exe	42
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43
PID 1028 wrote to memory of 1100	1028	chrome.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E99F52F41854A1DBF18EA0B6A5155938 C
  2⤵
  - Loads dropped DLL
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2480

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000004CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5d49758,0x7fef5d49768,0x7fef5d49778
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:2
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1916 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:2
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2204 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3548 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3600 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=1208,i,7960230446260259243,117247867225156505,131072 /prefetch:8
  2⤵
  PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Modrinth App\Modrinth App.lnk

Filesize
2KB

MD5
c770fa7c5b716a9fdbab60109e0d719e

SHA1
803f5830e361fa65b09c18d8fa3110efde52bd1f

SHA256
28b18175b32c044f006200e3136fd463a9a14112bb48377d09b70ef32ce5407e

SHA512
c396e5ad58f8d2836b8de7686cff23aaa2a93500e9d7bde41c0c241b394bd741efec1b6dec1826e815868b71291d1b97b71ebea15191594239df03408e57b158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
99ec3cf37187ff15cdb93c9c934f832b

SHA1
bfe5f99bbc761c4e98b5a57d4f8f350abe66cff1

SHA256
2a6eb75d3e6b44ee39adc7120885caa307b2430079356229161106a28da68c57

SHA512
f7933e3e17f36d33123d6a9d4bf3b25d3483181152a1e8a69d2ee81d2e2eb1ddf6b1af1487a14bda7e2ba970ef29ae58f95c8152e0948f8e89feeb3d65586e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_7907B0D1F2DC082B9BA6064FC995BD36

Filesize
727B

MD5
62a44f8a07acd8a38b70903afcbff775

SHA1
b35779f40bbc0fa3bfc198870837205baf681054

SHA256
c24d723d42cf25f34210ea41b642ff04f4718995faf20c2e2fcf0476ac09124b

SHA512
26098698a858f2f91a5335610c8e6e622bcae51bdbd76e5baf5f129d178baefbcb2081a143503ed1b2a9555b1c43cc480bea5f794feac57119628a1fc677473e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
ecde0b56eff5930eedfbd78ea31f578b

SHA1
757aa3c2a1d97b23636798c1d188542522553815

SHA256
dd4f171bc1884238d8052e2dada49274117a379594760aa378c3572e68bf89c6

SHA512
f782cbb486aa181d2d9ad39b2ae448be6af07e0f31dca60dd1ceb71e90e56bad9776a809e68c6a7084ef9c4bd0ffc0f0262d85bf0e11146dd647299688a66fab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
c87a0d76bdf4f10b3be01bb48bd7e4c7

SHA1
b05d8b3b8a3098289197a03a7f88e6357bee4ea3

SHA256
70f88e29b2ec3016d5264617f52e2901f2ad266e229f1b3f893f8ea803a85348

SHA512
57f83a62e908b1ffcb53d7f5c6bf821968d25dd446768c8d2f8c9822d60cdb8abdb02f260a851732aedef510e8c6f433e03eed80317abc7fe8854f50d74c6ee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_7907B0D1F2DC082B9BA6064FC995BD36

Filesize
420B

MD5
fc31e3db8fbf20f1dd99e96625e1c475

SHA1
b3f575140f6c327eca720cfc9c3c1c19121f8349

SHA256
8e88ff3fec27d17afb2e611fd808209cb1ab6946937e9a8de44d44673eab1f6b

SHA512
3ebc27a59097e4bba79f85f271f5c27e4616fb07430b35e3b9ca0aea32c08fdeaeeac3c72ae94334a5d73681c28f86ba3207798f52710553cc264deaebec663d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
97eebfd5231af2e0feb393f71a3d73cb

SHA1
c46aa85cedf7cb7f581e562af930e9a4d3d7f27d

SHA256
31d5a2734f4d765d2e89c3c78bd2e62c33deba1a08ff8aae0b7face13736910e

SHA512
8ab2835ec3761435cef925825fa5bf7f3000bd67ed53c8235049a2fd10d878f033b7e62364e9ae84151056f5de47b9bdc86893ea5d90f502a74e77ee53e1e66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
4e6411be6ac63d4dab65d20b065cac77

SHA1
4c6260d1d2ee0c3510891c6529459ad6aef70ecd

SHA256
15e1a9b06645df07dbc09d9853fc016fc2c062e6bf9f668947d765be126514fa

SHA512
2d1323d6c9829818577edfe0396e8598639cc0b731cc806ce7725716e94ea540b262ce8dcb68ffe32d7e546736304585071f384a8ba2218cf7eb8cbf295a985e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
27KB

MD5
4b419751b95602190e663dcfb4397186

SHA1
584625bb902af71e0d551a72995cce18736bf738

SHA256
566e5021669d6f9d13f9af0fc133ffdb0d2f7b5ad5698aecbbfe1de1c9751ba2

SHA512
60d3976779651bf7652fe6e5e9bf2ed251439ee04a891d3dd5112cac2b7ae6b70cd7cc7a49cf2b71931a3308ebdf945a5254d60a6789ebbbcc749ea2742d0eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c1bfe231f83a46c1dcac69bce029d0e1

SHA1
4d129501f8ac8731ec3a6660010f4615680382db

SHA256
9398fd11aedb7e615c5d893dc74b03a820ca91d211c82350c419cc36f8d433d8

SHA512
8baa00945716e5be66905b38b4eb6d024ac9e6d978686b59380c583aa40caab730cc4d427d4d4750b57fdae2cccbc626d466322e4d524c3305bfb1bb0de4fbc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cc4621c2519bbe6cca8cac8546946dd4

SHA1
fc6cb70422a396e6428c07fea1b538f088a8be5d

SHA256
19413bd13a324a488ad79a91ca04e3041cb0476d322247b1207a62aabf652852

SHA512
41e43d8d61a1d57ba655cab7e66d1efaab9b1a0061b91826b4e3acb6393f8256a27bd98cb38138a523bee2bbf455d482a15370cdadb81314bc3f5fc35d653cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
266KB

MD5
da34deb62d4866ed6643f20da23b0cb0

SHA1
e6b3acc6e5d3093f2b9790554988d55e6dcb386f

SHA256
b002374e85a57f95a70aafa29c0db8f627a368bd1f54bef28459073648b0890d

SHA512
d4f6b614d9544b849cac7d4a16d77e1a44afb643f7eb9cd3c28ab1a32bceeddcf8f40c6c3f7784f6f889736cf00056f419d73d6ca0db00b37edc881ce55fa6d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b5c68334-dbbe-4507-8f36-037c108fe279.tmp

Filesize
266KB

MD5
35da156bf3a414af69ab93a99374ce8e

SHA1
257831edf23894f6492597a8fc5a01c50367131b

SHA256
d7fb89dbd75557101be10ec9ffabb25bc873a46b45cf83bf5f81f912456f9a76

SHA512
3446459b87c5d3dea4bb28885fdbc6564f23f0a8accf17b27e1291ca0e69f7f838f7089e1022efd4416f6da6162bdb4a25ec227fdc5ff4eab41c4c4b6258e57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI395E.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56C8.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Installer\f76565a.msi

Filesize
5.0MB

MD5
5003486a784143bc96c3577172bbb44a

SHA1
9a960998807126041fae5b4fe9488d7ff3c5ca42

SHA256
b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

SHA512
3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
9.8MB

MD5
9c91d4e56002b6395d6cdad016ab65fb

SHA1
97af80cdd148e85fe50cf934ed6a224e12fb8122

SHA256
f9a00b54dee51fb3b86bbfb3236a5a53c12a3ceb5ff37063a4013606e485c31c

SHA512
b6228eaaf7c9c33163fab4cbd84fc5dd8dd36800f940851fe6590adba6760d41f65776067f6cbdd8b7c02f1e525bfba4811e98deec4efc45d2edf2df596711c8

Download Submit
memory/2064-94-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2064-93-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download