cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27/04/2024, 09:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Roblox Account Manager.exe
Size

5.2MB
MD5

a057fae0c8c97ee6cf2c12fb7bcf034d
SHA1

64fe0eb242b5c3f9c42f4f2c1685e4a36708e4f6
SHA256

cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9
SHA512

447cf69cf39ef19d098f4ab223d6ad9d760efb1eabb1bb0dac27fd2e55ac14c5a6502f2edd00b199d2db702e38551065bcc087c8df931360e769443908a4d200
SSDEEP

98304:b2bT1Qm7d9GP4i7q0LTWgtUmWzmSyZs9S8Z/LywnrSkqXf0Fb7WnhNMYkj7:4Qm59q/tUhzmS9zZ/mY+kSIb7ahNMYk

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2052	vcredist.tmp
4288	vcredist.tmp
1980	VC_redist.x86.exe

Loads dropped DLL 4 IoCs

pid	Process
4288	vcredist.tmp
1792	VC_redist.x86.exe
1104	Roblox Account Manager.exe
1104	Roblox Account Manager.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{46c3b171-c15c-4137-8e1d-67eeb2985b44} = "\"C:\\ProgramData\\Package Cache\\{46c3b171-c15c-4137-8e1d-67eeb2985b44}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
14	raw.githubusercontent.com

Drops file in System32 directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6DD9529199AF705F.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9F25DD897DBA5339.TMP	msiexec.exe
File created	C:\Windows\Installer\e5783c6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8732.tmp	msiexec.exe
File created	C:\Windows\Installer\e5783d7.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0A6E573693C49FB4.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBDCCC036EF26D511.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF74443F948861FF1A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF90F38DE16A3A1DC3.TMP	msiexec.exe
File created	C:\Windows\Installer\e5783d8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9C19C103-7DB1-44D1-A039-2C076A633A38}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D01.tmp	msiexec.exe
File created	C:\Windows\Installer\e5783ed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5783c6.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF226597CA0DDEAFD7.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5783d8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B2B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF687442E6BDBF1F5B.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Version = "237404527"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}v14.38.33135\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\PackageCode = "5DCA9E92B1C69C843A615368658FB324"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}v14.38.33135\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Version = "14.38.33135.0"	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{9C19C103-7DB1-44D1-A039-2C076A633A38}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{9C19C103-7DB1-44D1-A039-2C076A633A38}v14.38.33135\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\PackageCode = "253FEC3847DED1B40B7E69DC4FADC1D2"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383\VC_Runtime_Additional	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\ = "{46c3b171-c15c-4137-8e1d-67eeb2985b44}"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\PackageName = "vc_runtimeMinimum_x86.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33135"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D\VC_Runtime_Minimum	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Version = "237404527"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5084	msiexec.exe
5084	msiexec.exe
5084	msiexec.exe
5084	msiexec.exe
5084	msiexec.exe
5084	msiexec.exe
5084	msiexec.exe
5084	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	Roblox Account Manager.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe
Token: SeShutdownPrivilege	1980	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	1980	VC_redist.x86.exe
Token: SeSecurityPrivilege	5084	msiexec.exe
Token: SeCreateTokenPrivilege	1980	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	1980	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	1980	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	1980	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	1980	VC_redist.x86.exe
Token: SeTcbPrivilege	1980	VC_redist.x86.exe
Token: SeSecurityPrivilege	1980	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	1980	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	1980	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	1980	VC_redist.x86.exe
Token: SeSystemtimePrivilege	1980	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	1980	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	1980	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	1980	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	1980	VC_redist.x86.exe
Token: SeBackupPrivilege	1980	VC_redist.x86.exe
Token: SeRestorePrivilege	1980	VC_redist.x86.exe
Token: SeShutdownPrivilege	1980	VC_redist.x86.exe
Token: SeDebugPrivilege	1980	VC_redist.x86.exe
Token: SeAuditPrivilege	1980	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	1980	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	1980	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	1980	VC_redist.x86.exe
Token: SeUndockPrivilege	1980	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	1980	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	1980	VC_redist.x86.exe
Token: SeManageVolumePrivilege	1980	VC_redist.x86.exe
Token: SeImpersonatePrivilege	1980	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	1980	VC_redist.x86.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1104	4824	Roblox Account Manager.exe	81
PID 4824 wrote to memory of 1104	4824	Roblox Account Manager.exe	81
PID 4824 wrote to memory of 1104	4824	Roblox Account Manager.exe	81
PID 1104 wrote to memory of 2052	1104	Roblox Account Manager.exe	82
PID 1104 wrote to memory of 2052	1104	Roblox Account Manager.exe	82
PID 1104 wrote to memory of 2052	1104	Roblox Account Manager.exe	82
PID 2052 wrote to memory of 4288	2052	vcredist.tmp	83
PID 2052 wrote to memory of 4288	2052	vcredist.tmp	83
PID 2052 wrote to memory of 4288	2052	vcredist.tmp	83
PID 4288 wrote to memory of 1980	4288	vcredist.tmp	84
PID 4288 wrote to memory of 1980	4288	vcredist.tmp	84
PID 4288 wrote to memory of 1980	4288	vcredist.tmp	84
PID 1980 wrote to memory of 5100	1980	VC_redist.x86.exe	91
PID 1980 wrote to memory of 5100	1980	VC_redist.x86.exe	91
PID 1980 wrote to memory of 5100	1980	VC_redist.x86.exe	91
PID 5100 wrote to memory of 1792	5100	VC_redist.x86.exe	92
PID 5100 wrote to memory of 1792	5100	VC_redist.x86.exe	92
PID 5100 wrote to memory of 1792	5100	VC_redist.x86.exe	92
PID 1792 wrote to memory of 3236	1792	VC_redist.x86.exe	93
PID 1792 wrote to memory of 3236	1792	VC_redist.x86.exe	93
PID 1792 wrote to memory of 3236	1792	VC_redist.x86.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
    "C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\Temp\{8C0697F6-8DB5-4DF5-A703-644ED9028217}\.cr\vcredist.tmp
      "C:\Windows\Temp\{8C0697F6-8DB5-4DF5-A703-644ED9028217}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=584 -burn.filehandle.self=580 /q /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{5435EC4B-7B4C-49CA-9B27-1F76919F1D52} {2091E830-5172-4ACF-95C6-83F816A0442A} 4288
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=932 -burn.embedded BurnPipe.{AF518BB6-68CA-4C36-AF93-A4951C7B70D4} {2652963F-CBBF-4C02-972A-997C8D551FF3} 1980
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=932 -burn.embedded BurnPipe.{AF518BB6-68CA-4C36-AF93-A4951C7B70D4} {2652963F-CBBF-4C02-972A-997C8D551FF3} 1980
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{B11DCA9B-0D8F-4F9F-8012-2BECF09167EC} {D71ADCDA-1B8A-450C-915D-6776BC7E18F9} 1792
        8⤵
        Modifies registry class
        
        PID:3236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5783cb.rbs

Filesize
16KB

MD5
40515ae39006b88004e9fb2ec173df6d

SHA1
36b7c6d8d944f1c41b324d43830fede8fd9451f5

SHA256
0c29c88f36c00af8d5337988002ac9ff3deff990b97477ca079041d3aedd7be1

SHA512
4a98090d353171261e652eb0eff8711dda3bc07a3119a14c574348f6f702fd9b51ae291e860933182235815b6f99fcc509725701488af8daa1c7ecad2ee1b8c0

Download Submit
C:\Config.Msi\e5783d0.rbs

Filesize
18KB

MD5
325285ddd904ab3fa6f9ab58aa56e097

SHA1
d8c278f785d1595078b467c82aa42323516adfd8

SHA256
aba99bf715dafc784fe6e38b809746d01ad9affd8938dc806906e58d5cdfaf3a

SHA512
629c34dfb999f7c9b142823e5b0daecbc01abadc8992cd6e8b9794466bb734b587d8ee3bad41f558bf7f00186c3a57d35a5181d429d2eab9066bd2e6f2bac408

Download Submit
C:\Config.Msi\e5783dd.rbs

Filesize
20KB

MD5
8ad136e1f1982c44c3a2f2800d5ecbac

SHA1
7dd14477cc8338fd5458a9f44283a965002d7d3d

SHA256
468049c2672781616f1edd8eabd9dda5ab498beb68baf053fe4026ade6832763

SHA512
f96b3bf254cc68de5ed9b1854fe7f08205893eda539567e66613f4679efb1b5b69f641e446ce282e606fbfa95eea3bb61da3d86ec071f052d6eb84fb3cd56386

Download Submit
C:\Config.Msi\e5783ec.rbs

Filesize
19KB

MD5
4be215a53a950b230c08dbb023f69fb2

SHA1
5dcd18af04ec1816ce26adb5e0ed3755856ea752

SHA256
75ba6ddd552c6880a26ed3441e749fc42003536641f40566041ad0ba5f0ff88a

SHA512
a0ef667fb64b8a5fb95463ba5e9811c8df024d914e6dcfdfcd1f34c2668ac46dd377720029fa80d0e9b59988767709abc7ef654a2c9c64f2481ee5fefc3767a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

Filesize
1KB

MD5
72c442c0ee7dde7b3455bb315289bcf2

SHA1
d33367411ce01348f531e098495885b9d2ea110b

SHA256
180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41

SHA512
b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1KB

MD5
5369e83203a8972ee844ac973efd985a

SHA1
d91909ad9be3a67f66687a5cc58258fe2b715986

SHA256
fbbf21c6c6a3594b126ad1e48a06e315478022b6fa54ab0dc54b9ddaf30089ee

SHA512
af7fbb21b3ff7a32b34c72a303f380edda527a0f4273237f3c9a9f8804e83eb2bbbc1300135d094f64888227d72fdd832616dc2e18797398ad3df6db0d6b16f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
5KB

MD5
7e067afe7c779870c370c40240e2ce1f

SHA1
71d59901ee26810c2b2cfdeca176cec9a54fdb48

SHA256
5e0ba1895cf088e6d6907b8abbd8cd41c86f39cc642351a9ab0bf458bf1f5b31

SHA512
7ae4e81cd7a06aca5c363e1009d898aa8b42236d6796c38a8ba07adb52eae45f69cd446d008a0e1d12c60c02a43bee1c813231d58884c6dd69a2967e243c9cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240427091231_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
1b99daab914739f93fdaee3230f282ee

SHA1
c89954511ea6c3062c700e8582fc0355f7e0ba8e

SHA256
3c7cf07a5c50166d54ce437cffdfee03128ed1b03b7bb5a47dac6988f615ea18

SHA512
d092f0e25008648b49484e96fcfc7ca9ec279aa72ea58305709089fa5bf9fa852d0930df4120f2a98ed8a818de4e011859631cbfa9d713e0f202d4751a3c14f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240427091231_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
afb568d2158d7eb2c47605cf063a900e

SHA1
d2c7737b9c2f6d161223f84890cf5cc51acc98cc

SHA256
ec28b8843c3cb789e0616f55edecf1220dc01e8b89f01072b32bdcd9970a46c2

SHA512
3c7f4386bf0af258fdeeeef9dcc7dabe1def187dc5874d06128f6892282a0994d230f806b719c9654a48cd725735d8132d563bd9ff39a06e033a69ae7b28246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libsodium.dll

Filesize
477KB

MD5
4f6426e3626d5d46fb19c13043cb84de

SHA1
9dfa32f957c19c843a568b57d555d6d5cbc61579

SHA256
7a960129f6d3f8d44b4c6be27f587c29aa8bafb9c4d3c85bb84a5f5d8fa6e2ba

SHA512
7a83adf2b36973ceb52bfc95591bc91d4ac778a4e11d11723f6d8bf208811b8fa7d072851cfed73407c9413455de717e9a42f8e6bb1a133cb2b1981c66bb5832

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

Filesize
13.2MB

MD5
9882a328c8414274555845fa6b542d1e

SHA1
ab4a97610b127d68c45311deabfbcd8aa7066f4b

SHA256
510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79

SHA512
c08d1aa7e6e6215a0cee2793592b65668066c8c984b26675d2b8c09bc7fee21411cb3c0a905eaee7a48e7a47535fa777de21eeb07c78bca7bf3d7bb17192acf2

Download Submit
C:\Windows\SysWOW64\VCRUNTIME140.dll

Filesize
88KB

MD5
9c133b18fa9ed96e1aeb2da66e4a4f2b

SHA1
238d34dbd80501b580587e330d4405505d5e80f2

SHA256
c7d9dfddbe68cf7c6f0b595690e31a26df4780f465d2b90b5f400f2d8d788512

SHA512
d2d588f9940e7e623022adebebdc5af68421a8c1024177189d11df45481d7bfed16400958e67454c84ba97f0020da559a8dae2ec41950dc07e629b0fd4752e2f

Download Submit
C:\Windows\Temp\{8C0697F6-8DB5-4DF5-A703-644ED9028217}\.cr\vcredist.tmp

Filesize
634KB

MD5
7bd0b2d204d75012d3a9a9ce107c379e

SHA1
41edd6321965d48e11ecded3852eb32e3c13848d

SHA256
d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2

SHA512
d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0

Download Submit
C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
814KB

MD5
a57efc0afffdf914cbc76bb882cad37e

SHA1
732dbef27c49c27d9f1c00eba177eabc21650fb8

SHA256
c384da7cc6ead2ce054a67fded26d7e4cff2f981a83c64de62e53864665e5f45

SHA512
ad2cfc0fd199fe2726fd18c0a5972185e8331fe49807ca6340212901dd61d30853e2c72015ee9bac0425e287ef488190a245676173194fafbf8f6fc7fbf9baba

Download Submit
C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
4a17e4da145fa1ea92a52266221ad628

SHA1
f6304de9d73609f6b9717d6a4d44efd7ab7ffe9e

SHA256
9544abbd46b39bec491cf63076fb109306e519f303df9cd583a28956172bf038

SHA512
de9a6a1391070a9470f78208ff74120cffd2a1e2580af4add87914ba6dd27e07b092e66caa847726e05eb5fae0c1252681de37f34b560d4d95f3b76f3599e16c

Download Submit
C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\vcRuntimeAdditional_x86

Filesize
180KB

MD5
a37983d3fca236d6ae2d22ab0fa9f1d4

SHA1
82f77032813aeddf321d681da4e1aa50786258dd

SHA256
a7f13351ce5b41fcf6c2ed95f223f5e2aab5411bf8499a772f69ad8ffb87f96b

SHA512
619467e6d4aa6bc8f1cc02daf52330e28c313d774a1d0b0bb96d40a2ed2dc3697cee738463faed040e1bca407c3471ae1bc8dd91472682b25c579caacdbf7374

Download Submit
C:\Windows\Temp\{EB51E937-5A83-4932-B574-7EADD12E2F0A}\vcRuntimeMinimum_x86

Filesize
180KB

MD5
3ca6b74aefe34587f479055f5915e136

SHA1
61771e0a8ccabac8783a22f67adcbce612f11704

SHA256
a6f3a8e4e2162d8df176418e9a238becb645b2db31d8073bfc4f4cdb7fb1aa22

SHA512
3949cb3fdad3e8d5e9c649141a72783e0b403d3e835433d4d456654bcdad1290258f6d023ce127740f9c82459d337b9f8731c799efcf99775955d38cf3fef750

Download Submit
memory/1104-20-0x0000000005A80000-0x0000000005A8A000-memory.dmp

Filesize
40KB

Download
memory/1104-324-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/1104-31-0x000000000B190000-0x000000000B1E8000-memory.dmp

Filesize
352KB

Download
memory/1104-33-0x000000000B430000-0x000000000B4E2000-memory.dmp

Filesize
712KB

Download
memory/1104-34-0x000000000B640000-0x000000000B662000-memory.dmp

Filesize
136KB

Download
memory/1104-35-0x000000000B7B0000-0x000000000B86E000-memory.dmp

Filesize
760KB

Download
memory/1104-36-0x000000000B870000-0x000000000B88A000-memory.dmp

Filesize
104KB

Download
memory/1104-37-0x000000000B8A0000-0x000000000B8A8000-memory.dmp

Filesize
32KB

Download
memory/1104-38-0x000000000B8B0000-0x000000000B8B8000-memory.dmp

Filesize
32KB

Download
memory/1104-39-0x000000000B8D0000-0x000000000B8DA000-memory.dmp

Filesize
40KB

Download
memory/1104-26-0x000000000A690000-0x000000000A69A000-memory.dmp

Filesize
40KB

Download
memory/1104-23-0x000000000A370000-0x000000000A3A4000-memory.dmp

Filesize
208KB

Download
memory/1104-24-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1104-22-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1104-511-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/1104-19-0x00000000059C0000-0x0000000005A34000-memory.dmp

Filesize
464KB

Download
memory/1104-16-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1104-508-0x000000000DA80000-0x000000000DDD7000-memory.dmp

Filesize
3.3MB

Download
memory/1104-14-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/1104-507-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/1104-506-0x0000000007050000-0x0000000007066000-memory.dmp

Filesize
88KB

Download
memory/1104-505-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/1104-504-0x000000000DFB0000-0x000000000E4DC000-memory.dmp

Filesize
5.2MB

Download
memory/1104-333-0x0000000006E00000-0x0000000006E12000-memory.dmp

Filesize
72KB

Download
memory/1104-331-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1104-330-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1104-25-0x000000000AB20000-0x000000000ABB2000-memory.dmp

Filesize
584KB

Download
memory/1104-320-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/1104-321-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1104-322-0x0000000002AE0000-0x0000000002AF4000-memory.dmp

Filesize
80KB

Download
memory/1104-323-0x0000000006DB0000-0x0000000006E00000-memory.dmp

Filesize
320KB

Download
memory/1792-279-0x0000000000930000-0x00000000009A7000-memory.dmp

Filesize
476KB

Download
memory/3236-242-0x0000000000930000-0x00000000009A7000-memory.dmp

Filesize
476KB

Download
memory/4824-2-0x0000000005BA0000-0x0000000006146000-memory.dmp

Filesize
5.6MB

Download
memory/4824-1-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/4824-3-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/4824-4-0x0000000005400000-0x0000000005446000-memory.dmp

Filesize
280KB

Download
memory/4824-5-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/4824-6-0x0000000005470000-0x0000000005496000-memory.dmp

Filesize
152KB

Download
memory/4824-7-0x00000000054B0000-0x00000000054CE000-memory.dmp

Filesize
120KB

Download
memory/4824-15-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/4824-0-0x0000000000420000-0x000000000095E000-memory.dmp

Filesize
5.2MB

Download
memory/5100-280-0x0000000000930000-0x00000000009A7000-memory.dmp

Filesize
476KB

Download