be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Account Manager.exe
Size

5.4MB
MD5

334728f32a1144c893fdffc579a7709b
SHA1

97d2eb634d45841c1453749acb911ce1303196c0
SHA256

be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
SHA512

5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
SSDEEP

98304:42bT1Qm7d9G4/Ml61KO9bjRxMLywnrmYa0kqXf0FJ7WLhrBzcgPgL6b:/Qm59RMowO9bjRmmYiYa0kSIJ7zgPE

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Roblox Account Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	vcredist.tmp

Executes dropped EXE 3 IoCs

pid	Process
536	vcredist.tmp
1212	vcredist.tmp
540	VC_redist.x86.exe

Loads dropped DLL 3 IoCs

pid	Process
1376	Roblox Account Manager.exe
1212	vcredist.tmp
3236	VC_redist.x86.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{47109d57-d746-4f8b-9618-ed6a17cc922b} = "\"C:\\ProgramData\\Package Cache\\{47109d57-d746-4f8b-9618-ed6a17cc922b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in System32 directory 49 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI261C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI309D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32A2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0C3457A0-3DCE-4A33-BEF0-9B528C557771}	msiexec.exe
File created	C:\Windows\Installer\e5923bc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5923bd.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}	msiexec.exe
File created	C:\Windows\Installer\e5923ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5923ab.msi	msiexec.exe
File created	C:\Windows\Installer\e5923d2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5923bd.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33810"	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0C3457A0-3DCE-4A33-BEF0-9B528C557771}v14.40.33810\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{47109d57-d746-4f8b-9618-ed6a17cc922b}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Version = "237536274"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\ = "{47109d57-d746-4f8b-9618-ed6a17cc922b}"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Version = "237536274"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\PackageCode = "829638B4928B2094C8872CEC8D04BB92"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}v14.40.33810\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents\{47109d57-d746-4f8b-9618-ed6a17cc922b}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
540	VC_redist.x86.exe
540	VC_redist.x86.exe
540	VC_redist.x86.exe
540	VC_redist.x86.exe
540	VC_redist.x86.exe
540	VC_redist.x86.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe
3568	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	Roblox Account Manager.exe
Token: SeBackupPrivilege	3492	vssvc.exe
Token: SeRestorePrivilege	3492	vssvc.exe
Token: SeAuditPrivilege	3492	vssvc.exe
Token: SeShutdownPrivilege	540	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	540	VC_redist.x86.exe
Token: SeSecurityPrivilege	3568	msiexec.exe
Token: SeCreateTokenPrivilege	540	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	540	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	540	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	540	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	540	VC_redist.x86.exe
Token: SeTcbPrivilege	540	VC_redist.x86.exe
Token: SeSecurityPrivilege	540	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	540	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	540	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	540	VC_redist.x86.exe
Token: SeSystemtimePrivilege	540	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	540	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	540	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	540	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	540	VC_redist.x86.exe
Token: SeBackupPrivilege	540	VC_redist.x86.exe
Token: SeRestorePrivilege	540	VC_redist.x86.exe
Token: SeShutdownPrivilege	540	VC_redist.x86.exe
Token: SeDebugPrivilege	540	VC_redist.x86.exe
Token: SeAuditPrivilege	540	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	540	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	540	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	540	VC_redist.x86.exe
Token: SeUndockPrivilege	540	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	540	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	540	VC_redist.x86.exe
Token: SeManageVolumePrivilege	540	VC_redist.x86.exe
Token: SeImpersonatePrivilege	540	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	540	VC_redist.x86.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe
Token: SeRestorePrivilege	3568	msiexec.exe
Token: SeTakeOwnershipPrivilege	3568	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4488	Roblox Account Manager.exe
1376	Roblox Account Manager.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1376	4488	Roblox Account Manager.exe	87
PID 4488 wrote to memory of 1376	4488	Roblox Account Manager.exe	87
PID 4488 wrote to memory of 1376	4488	Roblox Account Manager.exe	87
PID 1376 wrote to memory of 536	1376	Roblox Account Manager.exe	91
PID 1376 wrote to memory of 536	1376	Roblox Account Manager.exe	91
PID 1376 wrote to memory of 536	1376	Roblox Account Manager.exe	91
PID 536 wrote to memory of 1212	536	vcredist.tmp	92
PID 536 wrote to memory of 1212	536	vcredist.tmp	92
PID 536 wrote to memory of 1212	536	vcredist.tmp	92
PID 1212 wrote to memory of 540	1212	vcredist.tmp	93
PID 1212 wrote to memory of 540	1212	vcredist.tmp	93
PID 1212 wrote to memory of 540	1212	vcredist.tmp	93
PID 540 wrote to memory of 1732	540	VC_redist.x86.exe	102
PID 540 wrote to memory of 1732	540	VC_redist.x86.exe	102
PID 540 wrote to memory of 1732	540	VC_redist.x86.exe	102
PID 1732 wrote to memory of 3236	1732	VC_redist.x86.exe	103
PID 1732 wrote to memory of 3236	1732	VC_redist.x86.exe	103
PID 1732 wrote to memory of 3236	1732	VC_redist.x86.exe	103
PID 3236 wrote to memory of 1200	3236	VC_redist.x86.exe	104
PID 3236 wrote to memory of 1200	3236	VC_redist.x86.exe	104
PID 3236 wrote to memory of 1200	3236	VC_redist.x86.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
    "C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\Temp\{A8418582-12E5-4F41-935E-0573851E37F2}\.cr\vcredist.tmp
      "C:\Windows\Temp\{A8418582-12E5-4F41-935E-0573851E37F2}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=544 -burn.filehandle.self=652 /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6AF6F8A6-566A-4838-A65E-3441F9293DB4} {01334CD5-0FFF-4E21-9325-3F296CCEA54E} 1212
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=1084 -burn.embedded BurnPipe.{2BBA4633-788A-4326-8F24-2CCE5121316C} {015BCB72-B528-453B-B02F-254314D9E4BD} 540
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=548 -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=1084 -burn.embedded BurnPipe.{2BBA4633-788A-4326-8F24-2CCE5121316C} {015BCB72-B528-453B-B02F-254314D9E4BD} 540
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{5E9BE1FF-549E-45C9-A6A2-5284EA9110E4} {FAE08CD4-3050-43BF-93EF-77A8C13D6DA7} 3236
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5923b0.rbs

Filesize
16KB

MD5
c9d2d79f8e34f21884ff4d26291ccd9a

SHA1
4974d9f173795df772601367cf90d55c4648c651

SHA256
a9101495713f6132731223778f2db4b6ce97986a7d7642931eac3b86440298be

SHA512
35f168251d749204704fa40524ad452f670ed47d160a222347895b5095ec727667b0ed0b785c9c4f4d0de9f7a447e0782da1613f47cde4598caf7071ee2ea5ee

Download Submit
C:\Config.Msi\e5923b5.rbs

Filesize
18KB

MD5
0383c196d89925d8c59b8902ae2ac822

SHA1
71707e8072ff129832f568fd11cb8c272eb66e01

SHA256
095ae840e2dbfc641f7dffa2375e48eff845208e7ae0be0c0029e27ca3c31831

SHA512
96e2fef28ba0b06e6a2cfb9946c4d1898f9b5e6d46d2b9dfdb5cf682c366b0d084a4542a089d1ced3f9c1e3e9737c6044024de8e1254e2a7ad39f60be551fba0

Download Submit
C:\Config.Msi\e5923c2.rbs

Filesize
20KB

MD5
61f8ad29fd37166e90f018a4d2a55044

SHA1
4836eeef9f66e512aa296895a423c365078b39ab

SHA256
ee50ca4238f83b38b3df221f52b559ca9933a2bb2826c75467e6c2f536aa911f

SHA512
9727df2278c899d467b8f3de7e490495b802cf7fb045872794dc576fb04dffc7b4eb96d02369e65d2a2091aaad36269c5272a6b0cc465b2a01a0ec3428ccff37

Download Submit
C:\Config.Msi\e5923d1.rbs

Filesize
19KB

MD5
5169c172afc956d33fc28d6db96b59fd

SHA1
d8294e75f173759cad9f97699f41837d8812b2f1

SHA256
086cc78035b3abd561ee6de07d09fd688ec7e1fbbc09121d349f93b997d5ebd5

SHA512
c8cdb2ff5f77831aa5aa1e86c1edc5c2a72c8e5c2dba6a15137c9b856c55c86e1e219fe62a04af92563270bb9b05d8a06030ccba12b0291a4c7a9275859888fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

Filesize
1KB

MD5
a02e8a8a790f0e0861e3b6b0dbe56062

SHA1
a3e65805e5c78641cafebc1052906d7350da9d2e

SHA256
7fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594

SHA512
108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1014B

MD5
1d917eaf5dcc8e06dd032c33f3a3d36a

SHA1
1eacb4eced22393fd5140910d30070f2e054e2fe

SHA256
787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f

SHA512
3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
0a86fa27d09e26491dbbb4fe27f4b410

SHA1
63e4b5afb8bdb67fc1d6f8dddeb40be20939289e

SHA256
2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d

SHA512
fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240806115747_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
8479fef9839ab54698f851ee3dc14897

SHA1
d252dbd2000ba9b86a1daf763574387f53c7a3ca

SHA256
de3409eb01c6d6d2fdf64614be7a5a3e24d31edd9463cbf1287cf011a82b8cd1

SHA512
d9ba7185c3596074ddb4d902a097b59a478c1592c53b74e207b4ea03fdc171d25f3a64a25a18dfb30a06f5fb725ce38c70f22b03d73dfbe951e714d859920fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240806115747_001_vcRuntimeAdditional_x86.log

Filesize
3KB

MD5
7a7a306aa9e79f1b1943ab5e7889bc50

SHA1
b1d7d3544c1e638fd48fcc08a2ae4e95f96e10b3

SHA256
2e7a0d283e8b5b740cbfce6a191deed29f203b67e17e369912ea523d70f0579c

SHA512
627397af73dde044b89a760a7acbac582a02395d33d40b8d3fa0537cdead9dbf08d59319e4fd58cb63433c83dd6ba923efd350a6d720973382305f1004b61f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libsodium.dll

Filesize
477KB

MD5
4f6426e3626d5d46fb19c13043cb84de

SHA1
9dfa32f957c19c843a568b57d555d6d5cbc61579

SHA256
7a960129f6d3f8d44b4c6be27f587c29aa8bafb9c4d3c85bb84a5f5d8fa6e2ba

SHA512
7a83adf2b36973ceb52bfc95591bc91d4ac778a4e11d11723f6d8bf208811b8fa7d072851cfed73407c9413455de717e9a42f8e6bb1a133cb2b1981c66bb5832

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

Filesize
13.2MB

MD5
8457542fd4be74cb2c3a92b3386ae8e9

SHA1
198722b4f5fc62721910569d9d926dce22730c22

SHA256
a32dd41eaab0c5e1eaa78be3c0bb73b48593de8d97a7510b97de3fd993538600

SHA512
91a6283f774f9e2338b65aa835156854e9e76aed32f821b13cfd070dd6c87e1542ce2d5845beb5e4af1ddb102314bb6e0ad6214d896bb3e387590a01eae0c182

Download Submit
C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
822KB

MD5
25bd21af44d3968a692e9b8a85f5c11d

SHA1
d805d1624553199529a82151f23a1330ac596888

SHA256
f4576ef2e843c282d2a932f7c55d71cc3fcbb35b0a17a0a640eb5f21731cc809

SHA512
ed3660183bf4e0d39e4f43a643007afc143b1d4ec0b45f0fdce28d8e896f646ec24a2a7a5429e8b10f4379cb4ffd1572adba10fc426990d05c0cafefdd87a4fb

Download Submit
C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
3a7979fbe74502ddc0a9087ee9ca0bdf

SHA1
3c63238363807c2f254163769d0a582528e115af

SHA256
7327d37634cc8e966342f478168b8850bea36a126d002c38c7438a7bd557c4ca

SHA512
6435db0f210ad317f4cd00bb3300eb41fb86649f7a0e3a05e0f64f8d0163ab53dbdb3c98f99a15102ce09fcd437a148347bab7bfd4afe4c90ff2ea05bb4febff

Download Submit
C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\vcRuntimeAdditional_x86

Filesize
180KB

MD5
2ba51e907b5ee6b2aef6dfe5914ae3e3

SHA1
6cc2c49734bf9965fe0f3977705a417ed8548718

SHA256
be137dc2b1ec7e85ae7a003a09537d3706605e34059361404ea3110874895e3a

SHA512
e3ba5aa8f366e3b1a92d8258daa74f327248fb21f168b7472b035f8d38f549f5f556eb9093eb8483ca51b78e9a77ee6e5b6e52378381cce50918d81e8e982d47

Download Submit
C:\Windows\Temp\{68DA4AF8-8249-434C-AFAF-5DD76F346D36}\vcRuntimeMinimum_x86

Filesize
180KB

MD5
828f217e9513cfff708ffe62d238cfc5

SHA1
9fb65d4edb892bf940399d5fd6ae3a4b15c2e4ba

SHA256
a2ad58d741be5d40af708e15bf0dd5e488187bf28f0b699d391a9ef96f899886

SHA512
ffc72b92f1431bbd07889e28b55d14ea11f8401e2d0b180e43a898914209893941affacc0a4ea34eeefc9b0ca4bc84a3045591cd98aae6bdb11ae831dc6bb121

Download Submit
C:\Windows\Temp\{A8418582-12E5-4F41-935E-0573851E37F2}\.cr\vcredist.tmp

Filesize
634KB

MD5
337b547d2771fdad56de13ac94e6b528

SHA1
3aeecc5933e7d8977e7a3623e8e44d4c3d0b4286

SHA256
81873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0

SHA512
0d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36

Download Submit
memory/1200-252-0x0000000000DC0000-0x0000000000E37000-memory.dmp

Filesize
476KB

Download
memory/1376-19-0x0000000006A40000-0x0000000006AB4000-memory.dmp

Filesize
464KB

Download
memory/1376-24-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-26-0x000000000C5A0000-0x000000000C640000-memory.dmp

Filesize
640KB

Download
memory/1376-33-0x000000000CBB0000-0x000000000CC62000-memory.dmp

Filesize
712KB

Download
memory/1376-34-0x000000000CDB0000-0x000000000CDD2000-memory.dmp

Filesize
136KB

Download
memory/1376-35-0x000000000CF20000-0x000000000D014000-memory.dmp

Filesize
976KB

Download
memory/1376-36-0x000000000D010000-0x000000000D02A000-memory.dmp

Filesize
104KB

Download
memory/1376-37-0x000000000D040000-0x000000000D048000-memory.dmp

Filesize
32KB

Download
memory/1376-38-0x0000000005F40000-0x0000000005F54000-memory.dmp

Filesize
80KB

Download
memory/1376-39-0x000000000D720000-0x000000000D770000-memory.dmp

Filesize
320KB

Download
memory/1376-40-0x000000000D050000-0x000000000D058000-memory.dmp

Filesize
32KB

Download
memory/1376-25-0x000000000C580000-0x000000000C58A000-memory.dmp

Filesize
40KB

Download
memory/1376-44-0x000000000F390000-0x000000000F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-46-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-47-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-48-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-49-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-31-0x000000000CB10000-0x000000000CB68000-memory.dmp

Filesize
352KB

Download
memory/1376-23-0x000000000B9A0000-0x000000000B9DA000-memory.dmp

Filesize
232KB

Download
memory/1376-22-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-20-0x0000000006BC0000-0x0000000006BCA000-memory.dmp

Filesize
40KB

Download
memory/1376-330-0x000000006FC20000-0x000000006FC35000-memory.dmp

Filesize
84KB

Download
memory/1376-17-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-15-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-290-0x0000000000DC0000-0x0000000000E37000-memory.dmp

Filesize
476KB

Download
memory/3236-289-0x0000000000DC0000-0x0000000000E37000-memory.dmp

Filesize
476KB

Download
memory/4488-14-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-7-0x0000000005E70000-0x0000000005E8E000-memory.dmp

Filesize
120KB

Download
memory/4488-6-0x0000000005E30000-0x0000000005E56000-memory.dmp

Filesize
152KB

Download
memory/4488-5-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/4488-4-0x0000000005DB0000-0x0000000005DF6000-memory.dmp

Filesize
280KB

Download
memory/4488-3-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-2-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/4488-1-0x0000000000EA0000-0x000000000140C000-memory.dmp

Filesize
5.4MB

Download
memory/4488-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download