5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e

Resubmissions

24/08/2024, 13:34 UTC

240824-qvctxasdre 7

24/08/2024, 13:25 UTC

240824-qnxwhatfnl 7

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24/08/2024, 13:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Account Manager.exe
Size

5.5MB
MD5

eb54116db322c49ec2faca86f725931e
SHA1

c703685ac6221d7de624039d7351886b21ca53fc
SHA256

5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
SHA512

ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78
SSDEEP

98304:8H6+2bT1Qm7d9G3s2tIfKLUXk8zdywnr5a0kqXf0Fb7WnZhP+MQuPN5Ppauz+l:5Qm59siyLU0lY9a0kSIb7aZhP+MQuPNw

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	Auto Update.exe

Executes dropped EXE 6 IoCs

pid	Process
2280	Auto Update.exe
1056	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3060	vcredist.tmp
4976	vcredist.tmp
3568	VC_redist.x86.exe

Loads dropped DLL 2 IoCs

pid	Process
4976	vcredist.tmp
1060	VC_redist.x86.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{47109d57-d746-4f8b-9618-ed6a17cc922b} = "\"C:\\ProgramData\\Package Cache\\{47109d57-d746-4f8b-9618-ed6a17cc922b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
22	3280	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
10	raw.githubusercontent.com
21	raw.githubusercontent.com

Drops file in System32 directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e584ea8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDADF64C89F75D6C3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54B5.tmp	msiexec.exe
File created	C:\Windows\Installer\e584ea8.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF52DF4DBCA56390C.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\~DF98440F502D3009F2.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\Installer\SourceHash{0C3457A0-3DCE-4A33-BEF0-9B528C557771}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5233.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3C300BA02B1179F6.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5128.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFABD8948FBCF2CAE3.TMP	msiexec.exe
File created	C:\Windows\Installer\e584eba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584eba.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF61C7DBA88E5FE4A3.TMP	msiexec.exe
File created	C:\Windows\Installer\e584ecf.msi	msiexec.exe
File created	C:\Windows\Installer\e584eb9.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56AA.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDF5D1F07616459F2.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\~DF5B78290C4F007268.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000908a982beaea54420000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000908a982b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900908a982b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d908a982b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000908a982b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\ = "{47109d57-d746-4f8b-9618-ed6a17cc922b}"	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{47109d57-d746-4f8b-9618-ed6a17cc922b}	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33810"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}v14.40.33810\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0C3457A0-3DCE-4A33-BEF0-9B528C557771}v14.40.33810\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{0C3457A0-3DCE-4A33-BEF0-9B528C557771}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\VC_Runtime_Minimum	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Version = "237536274"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\PackageCode = "56C1F3EFF13FBC94887129B2E83EB575"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{47109d57-d746-4f8b-9618-ed6a17cc922b}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\Servicing_Key	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0C3457A0-3DCE-4A33-BEF0-9B528C557771}v14.40.33810\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}v14.40.33810\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents\{47109d57-d746-4f8b-9618-ed6a17cc922b}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2280	Auto Update.exe
3280	msiexec.exe
3280	msiexec.exe
3280	msiexec.exe
3280	msiexec.exe
3280	msiexec.exe
3280	msiexec.exe
3280	msiexec.exe
3280	msiexec.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe
3912	Roblox Account Manager.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3912	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	Roblox Account Manager.exe
Token: SeDebugPrivilege	2280	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2280	Auto Update.exe
Token: SeDebugPrivilege	3912	Roblox Account Manager.exe
Token: SeBackupPrivilege	1124	vssvc.exe
Token: SeRestorePrivilege	1124	vssvc.exe
Token: SeAuditPrivilege	1124	vssvc.exe
Token: SeShutdownPrivilege	3568	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	3568	VC_redist.x86.exe
Token: SeSecurityPrivilege	3280	msiexec.exe
Token: SeCreateTokenPrivilege	3568	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	3568	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	3568	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	3568	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	3568	VC_redist.x86.exe
Token: SeTcbPrivilege	3568	VC_redist.x86.exe
Token: SeSecurityPrivilege	3568	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	3568	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	3568	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	3568	VC_redist.x86.exe
Token: SeSystemtimePrivilege	3568	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	3568	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	3568	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	3568	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	3568	VC_redist.x86.exe
Token: SeBackupPrivilege	3568	VC_redist.x86.exe
Token: SeRestorePrivilege	3568	VC_redist.x86.exe
Token: SeShutdownPrivilege	3568	VC_redist.x86.exe
Token: SeDebugPrivilege	3568	VC_redist.x86.exe
Token: SeAuditPrivilege	3568	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	3568	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	3568	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	3568	VC_redist.x86.exe
Token: SeUndockPrivilege	3568	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	3568	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	3568	VC_redist.x86.exe
Token: SeManageVolumePrivilege	3568	VC_redist.x86.exe
Token: SeImpersonatePrivilege	3568	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	3568	VC_redist.x86.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2672	1568	Roblox Account Manager.exe	82
PID 1568 wrote to memory of 2672	1568	Roblox Account Manager.exe	82
PID 1568 wrote to memory of 2672	1568	Roblox Account Manager.exe	82
PID 2672 wrote to memory of 2280	2672	Roblox Account Manager.exe	83
PID 2672 wrote to memory of 2280	2672	Roblox Account Manager.exe	83
PID 2672 wrote to memory of 2280	2672	Roblox Account Manager.exe	83
PID 1056 wrote to memory of 3912	1056	Roblox Account Manager.exe	86
PID 1056 wrote to memory of 3912	1056	Roblox Account Manager.exe	86
PID 1056 wrote to memory of 3912	1056	Roblox Account Manager.exe	86
PID 3912 wrote to memory of 3060	3912	Roblox Account Manager.exe	87
PID 3912 wrote to memory of 3060	3912	Roblox Account Manager.exe	87
PID 3912 wrote to memory of 3060	3912	Roblox Account Manager.exe	87
PID 3060 wrote to memory of 4976	3060	vcredist.tmp	88
PID 3060 wrote to memory of 4976	3060	vcredist.tmp	88
PID 3060 wrote to memory of 4976	3060	vcredist.tmp	88
PID 4976 wrote to memory of 3568	4976	vcredist.tmp	89
PID 4976 wrote to memory of 3568	4976	vcredist.tmp	89
PID 4976 wrote to memory of 3568	4976	vcredist.tmp	89
PID 3568 wrote to memory of 2620	3568	VC_redist.x86.exe	99
PID 3568 wrote to memory of 2620	3568	VC_redist.x86.exe	99
PID 3568 wrote to memory of 2620	3568	VC_redist.x86.exe	99
PID 2620 wrote to memory of 1060	2620	VC_redist.x86.exe	100
PID 2620 wrote to memory of 1060	2620	VC_redist.x86.exe	100
PID 2620 wrote to memory of 1060	2620	VC_redist.x86.exe	100
PID 1060 wrote to memory of 3616	1060	VC_redist.x86.exe	101
PID 1060 wrote to memory of 3616	1060	VC_redist.x86.exe	101
PID 1060 wrote to memory of 3616	1060	VC_redist.x86.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" -update
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
      "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\Temp\{4552967F-1F3A-45EB-A54A-B81352ABC5D5}\.cr\vcredist.tmp
        
        "C:\Windows\Temp\{4552967F-1F3A-45EB-A54A-B81352ABC5D5}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=568 -burn.filehandle.self=576 /q /norestart
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F14B281F-8C97-4B75-A19C-EE24C72FD58A} {82186E50-E3D4-4873-9E8D-06D1EA53330D} 4976
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=924 -burn.embedded BurnPipe.{DC40A88B-B54B-4130-B259-011734ECC5C1} {E49D2A28-8B2D-41B5-A73D-439F23C70C08} 3568
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=924 -burn.embedded BurnPipe.{DC40A88B-B54B-4130-B259-011734ECC5C1} {E49D2A28-8B2D-41B5-A73D-439F23C70C08} 3568
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{CAD7CDC8-611E-4ED2-BBE3-C4099F136652} {C68552BD-BA61-43E5-AD81-02C0791042F6} 1060
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3440

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1188

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3044

C:\Users\Admin\AppData\Local\Temp\0C6F0927-0036-402C-A28F-4E9026EEDFB3\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\0C6F0927-0036-402C-A28F-4E9026EEDFB3\dismhost.exe {6698114A-1725-4265-A4C4-52771083954A}
1⤵
- Drops file in Windows directory
PID:4272

Network

DNS

aka.ms

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

aka.ms

IN A

Response

aka.ms

IN A

2.17.6.114
DNS

download.visualstudio.microsoft.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

download.visualstudio.microsoft.com

IN A

Response

download.visualstudio.microsoft.com

IN CNAME

visualstudio.download.prss.trafficmanager.net

visualstudio.download.prss.trafficmanager.net

IN CNAME

4316b.wpc.azureedge.net

4316b.wpc.azureedge.net

IN CNAME

cs10.wpc.v0cdn.net

cs10.wpc.v0cdn.net

IN A

68.232.34.200
DNS

8.8.8.8.in-addr.arpa

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

api.github.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

api.github.com

IN A

Response

api.github.com

IN A

20.26.156.210
DNS

210.156.26.20.in-addr.arpa

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

210.156.26.20.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133
DNS

123.35.104.34.in-addr.arpa

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

123.35.104.34.in-addr.arpa

IN PTR

Response

123.35.104.34.in-addr.arpa

IN PTR

1233510434bcgoogleusercontentcom
DNS

objects.githubusercontent.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.111.133

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.108.133
DNS

ctldl.windowsupdate.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

ocsp.digicert.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

34.135.221.88.in-addr.arpa

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

34.135.221.88.in-addr.arpa

IN PTR

Response

34.135.221.88.in-addr.arpa

IN PTR

a88-221-135-34deploystaticakamaitechnologiescom
DNS

ctldl.windowsupdate.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

2.22.144.81

a767.dspw65.akamai.net

IN A

2.22.144.73
DNS

arc.msn.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

IN A

20.103.156.88
DNS

cxcs.microsoft.net

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

cxcs.microsoft.net

IN A

Response

cxcs.microsoft.net

IN CNAME

cxcs.microsoft.net.edgekey.net

cxcs.microsoft.net.edgekey.net

IN CNAME

e3230.b.akamaiedge.net

e3230.b.akamaiedge.net

IN A

23.206.78.251
DNS

202.143.101.95.in-addr.arpa

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

202.143.101.95.in-addr.arpa

IN PTR

Response

202.143.101.95.in-addr.arpa

IN PTR

a95-101-143-202deploystaticakamaitechnologiescom
DNS

114.6.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.6.17.2.in-addr.arpa

IN PTR

Response

114.6.17.2.in-addr.arpa

IN PTR

a2-17-6-114deploystaticakamaitechnologiescom
DNS

clientsettings.roblox.com

Remote address:

8.8.8.8:53

Request

clientsettings.roblox.com

IN A

Response

clientsettings.roblox.com

IN CNAME

titanium.roblox.com

titanium.roblox.com

IN CNAME

edge-term4.roblox.com

edge-term4.roblox.com

IN CNAME

edge-term4-lhr2.roblox.com

edge-term4-lhr2.roblox.com

IN A

128.116.119.4
DNS

4.119.116.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.119.116.128.in-addr.arpa

IN PTR

Response
DNS

storage.googleapis.com

Remote address:

8.8.8.8:53

Request

storage.googleapis.com

IN A

Response

storage.googleapis.com

IN A

216.58.214.91

storage.googleapis.com

IN A

142.250.179.123

storage.googleapis.com

IN A

172.217.20.219

storage.googleapis.com

IN A

142.250.178.155

storage.googleapis.com

IN A

142.250.74.251

storage.googleapis.com

IN A

142.250.179.91

storage.googleapis.com

IN A

216.58.215.59

storage.googleapis.com

IN A

142.250.201.187

storage.googleapis.com

IN A

172.217.20.187

storage.googleapis.com

IN A

142.250.75.251

storage.googleapis.com

IN A

216.58.214.187
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

133.109.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

r.bing.com

Remote address:

8.8.8.8:53

Request

r.bing.com

IN A

Response

r.bing.com

IN CNAME

p-static.bing.trafficmanager.net

p-static.bing.trafficmanager.net

IN CNAME

r.bing.com.edgekey.net

r.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

88.221.135.34

e86303.dscx.akamaiedge.net

IN A

88.221.135.35

e86303.dscx.akamaiedge.net

IN A

88.221.135.26

e86303.dscx.akamaiedge.net

IN A

88.221.135.11

e86303.dscx.akamaiedge.net

IN A

88.221.135.33

e86303.dscx.akamaiedge.net

IN A

95.101.143.202

e86303.dscx.akamaiedge.net

IN A

95.101.143.193

e86303.dscx.akamaiedge.net

IN A

88.221.135.27

e86303.dscx.akamaiedge.net

IN A

88.221.135.42
DNS

fp.msedge.net

Remote address:

8.8.8.8:53

Request

fp.msedge.net

IN A

Response

fp.msedge.net

IN CNAME

1.perf.msedge.net

1.perf.msedge.net

IN CNAME

a-0019.a-msedge.net

a-0019.a-msedge.net

IN CNAME

a-0019.a.dns.azurefd.net

a-0019.a.dns.azurefd.net

IN CNAME

a-0019.standard.a-msedge.net

a-0019.standard.a-msedge.net

IN A

204.79.197.222
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

254.129.123.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.129.123.52.in-addr.arpa

IN PTR

Response
DNS

www.bing.com

Remote address:

8.8.8.8:53

Request

www.bing.com

IN A

Response

www.bing.com

IN CNAME

www-www.bing.com.trafficmanager.net

www-www.bing.com.trafficmanager.net

IN CNAME

www.bing.com.edgekey.net

www.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

95.101.143.202

e86303.dscx.akamaiedge.net

IN A

88.221.135.25

e86303.dscx.akamaiedge.net

IN A

88.221.135.27

e86303.dscx.akamaiedge.net

IN A

88.221.135.35

e86303.dscx.akamaiedge.net

IN A

95.101.143.195

e86303.dscx.akamaiedge.net

IN A

88.221.135.33

e86303.dscx.akamaiedge.net

IN A

88.221.135.34

e86303.dscx.akamaiedge.net

IN A

88.221.135.11

e86303.dscx.akamaiedge.net

IN A

88.221.135.42
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdcus19.centralus.cloudapp.azure.com

onedscolprdcus19.centralus.cloudapp.azure.com

IN A

52.182.143.214
DNS

200.34.232.68.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.34.232.68.in-addr.arpa

IN PTR

Response
DNS

github.com

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

edgedl.me.gvt1.com

Remote address:

8.8.8.8:53

Request

edgedl.me.gvt1.com

IN A

Response

edgedl.me.gvt1.com

IN A

34.104.35.123
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

91.214.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.214.58.216.in-addr.arpa

IN PTR

Response

91.214.58.216.in-addr.arpa

IN PTR

fra15s10-in-f911e100net

91.214.58.216.in-addr.arpa

IN PTR

par10s39-in-f27�H

91.214.58.216.in-addr.arpa

IN PTR

fra15s10-in-f27�H
DNS

aka.ms

Remote address:

8.8.8.8:53

Request

aka.ms

IN A

Response

aka.ms

IN A

2.17.6.114
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.227.13
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

222.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.197.79.204.in-addr.arpa

IN PTR

Response
DNS

dual-s-ring.msedge.net

Remote address:

8.8.8.8:53

Request

dual-s-ring.msedge.net

IN A

Response

dual-s-ring.msedge.net

IN CNAME

s-ring.dual-s-9999.dual-s-msedge.net

s-ring.dual-s-9999.dual-s-msedge.net

IN CNAME

dual-s-9999.dual-s-msedge.net

dual-s-9999.dual-s-msedge.net

IN A

52.123.129.254

dual-s-9999.dual-s-msedge.net

IN A

52.123.128.254
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

251.78.206.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.78.206.23.in-addr.arpa

IN PTR

Response

251.78.206.23.in-addr.arpa

IN PTR

a23-206-78-251deploystaticakamaitechnologiescom
DNS

214.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

214.143.182.52.in-addr.arpa

IN PTR

Response
GET

https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

Roblox Account Manager.exe

Remote address:

20.26.156.210:443

Request

GET /repos/ic3w0lf22/Roblox-Account-Manager/releases/latest HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Host: api.github.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 24 Aug 2024 13:34:56 GMT
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=60, s-maxage=60
Vary: Accept,Accept-Encoding, Accept, X-Requested-With
ETag: W/"3e71a155ac0b4c3709ba4382157aef46282d3a4563515558a15351e51c4965a3"
Last-Modified: Thu, 18 Jul 2024 01:37:43 GMT
X-GitHub-Media-Type: github.v3; format=json
x-github-api-version-selected: 2022-11-28
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'
Server: github.com
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 50
X-RateLimit-Reset: 1724508672
X-RateLimit-Resource: core
X-RateLimit-Used: 10
Accept-Ranges: bytes
Content-Length: 4024
X-GitHub-Request-Id: D0EE:220B36:5866B8:5F0826:66C9E180
GET

https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

Roblox Account Manager.exe

Remote address:

128.116.119.4:443

Request

GET /v1/client-version/WindowsPlayer HTTP/1.1
Host: clientsettings.roblox.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

content-length: 119
content-type: application/json; charset=utf-8
date: Sat, 24 Aug 2024 13:34:55 GMT
server: Kestrel
cache-control: public, must-revalidate, max-age=30
strict-transport-security: max-age=3600
x-frame-options: SAMEORIGIN
roblox-machine-id: 842b319a-633b-c051-6b9d-2a6dc618d3b1
x-roblox-region: us-central_rbx
x-roblox-edge: lhr2
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
GET

https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

Roblox Account Manager.exe

Remote address:

20.26.156.215:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 24 Aug 2024 13:34:56 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: D0F4:1D201E:62D34B:72916C:66C9E180
GET

https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip

Roblox Account Manager.exe

Remote address:

34.104.35.123:443

Request

GET /edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip HTTP/1.1
Host: edgedl.me.gvt1.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

last-modified: Wed, 02 May 2007 10:26:10 GMT
date: Sat, 24 Aug 2024 13:34:57 GMT
expires: Sat, 24 Aug 2024 13:49:57 GMT
cache-control: public, max-age=900
location: https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip
content-length: 0
x-content-type-options: nosniff
content-type: text/html
server: Google-Edge-Cache
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000
x-request-id: 589f36b8-7520-4550-ad8f-4563232c593f
GET

https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

Roblox Account Manager.exe

Remote address:

185.199.110.133:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 712
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "6504a8f1f84c961d1505a765a5f721ff8cd0b5f0f12ed8226f135185f6667f5c"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 84B0:26ABB:46F828:589A97:66BD57F8
Accept-Ranges: bytes
Date: Sat, 24 Aug 2024 13:34:57 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420112-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1724506497.211410,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ff4b4d92c98396b08cbb196fb6f28e05f05414b8
Expires: Sat, 24 Aug 2024 13:39:57 GMT
Source-Age: 69
GET

https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip

Roblox Account Manager.exe

Remote address:

216.58.214.91:443

Request

GET /chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip HTTP/1.1
Host: storage.googleapis.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Expires: Sat, 24 Aug 2024 14:34:57 GMT
Date: Sat, 24 Aug 2024 13:34:57 GMT
Cache-Control: public, max-age=3600
Last-Modified: Fri, 16 Feb 2024 17:24:10 GMT
ETag: "1e4774981a1b068c301d9282bb38706e"
x-goog-generation: 1708104250635651
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 150638219
Content-Type: application/zip
x-goog-hash: crc32c=9AQkeg==
x-goog-hash: md5=Hkd0mBobBowwHZKCuzhwbg==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 150638219
X-GUploader-UploadID: AHxI1nN3qmedTIs_E9Vaa8v6QvLGlaJj8O60EHtbRCLvEWlEq_z-pxPMbGpVTZhDYcp5Lh54BTpIcIjAag
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

Roblox Account Manager.exe

Remote address:

20.26.156.210:443

Request

GET /repos/ic3w0lf22/Roblox-Account-Manager/releases/latest HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Host: api.github.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 24 Aug 2024 13:34:56 GMT
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=60, s-maxage=60
Vary: Accept,Accept-Encoding, Accept, X-Requested-With
ETag: W/"3e71a155ac0b4c3709ba4382157aef46282d3a4563515558a15351e51c4965a3"
Last-Modified: Thu, 18 Jul 2024 01:37:43 GMT
X-GitHub-Media-Type: github.v3; format=json
x-github-api-version-selected: 2022-11-28
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'
Server: github.com
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 48
X-RateLimit-Reset: 1724508672
X-RateLimit-Resource: core
X-RateLimit-Used: 12
Accept-Ranges: bytes
Content-Length: 4024
X-GitHub-Request-Id: D12F:218002:5094B4:57373C:66C9E18E
GET

https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

Roblox Account Manager.exe

Remote address:

128.116.119.4:443

Request

GET /v1/client-version/WindowsPlayer HTTP/1.1
Host: clientsettings.roblox.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

content-length: 119
content-type: application/json; charset=utf-8
date: Sat, 24 Aug 2024 13:35:10 GMT
server: Kestrel
cache-control: public, must-revalidate, max-age=30
strict-transport-security: max-age=3600
x-frame-options: SAMEORIGIN
roblox-machine-id: 842b319a-633b-c051-6b9d-2a6dc618d3b1
x-roblox-region: us-central_rbx
x-roblox-edge: lhr2
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
GET

https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

Roblox Account Manager.exe

Remote address:

20.26.156.215:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 24 Aug 2024 13:34:56 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: D133:1D201E:62D948:729840:66C9E18F
GET

https://storage.googleapis.com/chrome-for-testing-public/124.0.6367.201/win64/chrome-win64.zip

Roblox Account Manager.exe

Remote address:

216.58.214.91:443

Request

GET /chrome-for-testing-public/124.0.6367.201/win64/chrome-win64.zip HTTP/1.1
Host: storage.googleapis.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Expires: Sat, 24 Aug 2024 14:35:11 GMT
Date: Sat, 24 Aug 2024 13:35:11 GMT
Cache-Control: public, max-age=3600
Last-Modified: Wed, 08 May 2024 22:32:38 GMT
ETag: "7aaffb17a30cd6d74856c82cd181c969"
x-goog-generation: 1715207558197023
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 150232934
Content-Type: application/x-zip-compressed
x-goog-hash: crc32c=G2zm7Q==
x-goog-hash: md5=eq/7F6MM1tdIVsgs0YHJaQ==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 150232934
X-GUploader-UploadID: AHxI1nPUK0kCd8FvH6qPtnUzP200ibu-A7XXwOzFk6Gpz6YLZOsOjJaVDfXxQ60YAikdkLogbDewBUTBHA
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

Roblox Account Manager.exe

Remote address:

185.199.110.133:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 712
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "6504a8f1f84c961d1505a765a5f721ff8cd0b5f0f12ed8226f135185f6667f5c"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: CDD4:1CB1B5:35C1B9:42CE56:66B2C215
Accept-Ranges: bytes
Date: Sat, 24 Aug 2024 13:35:11 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600096-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1724506512.515928,VS0,VE77
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 900c8687daca5ff3625d626ead5bdef5977b5b5a
Expires: Sat, 24 Aug 2024 13:40:11 GMT
Source-Age: 0
GET

https://storage.googleapis.com/chrome-for-testing-public/124.0.6367.201/win64/chrome-headless-shell-win64.zip

Roblox Account Manager.exe

Remote address:

216.58.214.91:443

Request

GET /chrome-for-testing-public/124.0.6367.201/win64/chrome-headless-shell-win64.zip HTTP/1.1
Host: storage.googleapis.com

Response

HTTP/1.1 200 OK

Expires: Sat, 24 Aug 2024 14:35:30 GMT
Date: Sat, 24 Aug 2024 13:35:30 GMT
Cache-Control: public, max-age=3600
Last-Modified: Wed, 08 May 2024 22:33:02 GMT
ETag: "b422b7cceebcce1eca6118ee96480926"
x-goog-generation: 1715207582036334
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 88298007
Content-Type: application/x-zip-compressed
x-goog-hash: crc32c=ZQVNjg==
x-goog-hash: md5=tCK3zO68zh7KYRjulkgJJg==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 88298007
X-GUploader-UploadID: AHxI1nMUSKyJdYYP9flAk52_uZ717CFWLGqNlvIlkBP7W1S7PGlnl7DoK8W4fuqq7CANTvJ3LgUpj6Cc8w
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

2.17.6.114:443

aka.ms

tls

Roblox Account Manager.exe

858 B
5.8kB
9
11
68.232.34.200:443

download.visualstudio.microsoft.com

tls

Roblox Account Manager.exe

204.4kB
10.3MB
4242
7365
20.26.156.210:443

https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

tls, http

Roblox Account Manager.exe

990 B
9.2kB
10
10

HTTP Request

GET https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

HTTP Response

200
128.116.119.4:443

https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

tls, http

Roblox Account Manager.exe

861 B
6.5kB
10
9

HTTP Request

GET https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

HTTP Response

200
20.26.156.215:443

https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

tls, http

Roblox Account Manager.exe

943 B
7.8kB
11
11

HTTP Request

GET https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

HTTP Response

302
34.104.35.123:443

https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip

tls, http

Roblox Account Manager.exe

840 B
5.6kB
9
9

HTTP Request

GET https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip

HTTP Response

302
185.199.110.133:443

https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

tls, http

Roblox Account Manager.exe

923 B
6.0kB
10
13

HTTP Request

GET https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

HTTP Response

200
216.58.214.91:443

https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip

tls, http

Roblox Account Manager.exe

510.4kB
20.9MB
9546
15042

HTTP Request

GET https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip

HTTP Response

200
20.26.156.210:443

api.github.com

tls

Auto Update.exe

1.0kB
9.4kB
9
10
20.26.156.215:443

github.com

tls

Auto Update.exe

1.4kB
12.9kB
12
14
185.199.109.133:443

objects.githubusercontent.com

tls

Auto Update.exe

113.4kB
4.5MB
2072
3240
2.17.6.114:443

aka.ms

tls

Roblox Account Manager.exe

950 B
6.0kB
11
13
68.232.34.200:443

download.visualstudio.microsoft.com

tls

Roblox Account Manager.exe

297.2kB
14.3MB
6056
10251
20.26.156.210:443

https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

tls, http

Roblox Account Manager.exe

990 B
9.3kB
10
11

HTTP Request

GET https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

HTTP Response

200
128.116.119.4:443

https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

tls, http

Roblox Account Manager.exe

907 B
6.6kB
11
11

HTTP Request

GET https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

HTTP Response

200
20.26.156.215:443

https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

tls, http

Roblox Account Manager.exe

943 B
7.8kB
11
10

HTTP Request

GET https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

HTTP Response

302
216.58.214.91:443

https://storage.googleapis.com/chrome-for-testing-public/124.0.6367.201/win64/chrome-win64.zip

tls, http

Roblox Account Manager.exe

4.5MB
155.6MB
78891
111389

HTTP Request

GET https://storage.googleapis.com/chrome-for-testing-public/124.0.6367.201/win64/chrome-win64.zip

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

tls, http

Roblox Account Manager.exe

923 B
6.0kB
10
13

HTTP Request

GET https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

HTTP Response

200
216.58.214.91:443

https://storage.googleapis.com/chrome-for-testing-public/124.0.6367.201/win64/chrome-headless-shell-win64.zip

tls, http

Roblox Account Manager.exe

2.2MB
91.1MB
42251
65261

HTTP Request

GET https://storage.googleapis.com/chrome-for-testing-public/124.0.6367.201/win64/chrome-headless-shell-win64.zip

HTTP Response

200
95.101.129.208:443

www.bing.com

tls

12.8kB
153.2kB
139
127
88.221.135.34:443

r.bing.com

tls

71.9kB
1.8MB
1396
1356
88.221.135.34:443

r.bing.com

tls

1.2kB
5.3kB
16
14
88.221.135.34:443

r.bing.com

tls

1.2kB
5.2kB
16
14
88.221.135.34:443

r.bing.com

tls

1.2kB
5.2kB
17
14
88.221.135.34:443

r.bing.com

tls

1.2kB
5.3kB
16
14
88.221.135.34:443

r.bing.com

tls

1.2kB
5.3kB
16
14
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
15
12
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
15
12
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
13
10
88.221.135.34:443

r.bing.com

tls

2.0kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.5kB
1.1kB
15
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
88.221.135.34:443

r.bing.com

tls

1.3kB
1.1kB
13
11
88.221.135.34:443

r.bing.com

tls

1.4kB
1.1kB
14
11
52.123.129.254:443

dual-s-ring.msedge.net

tls

1.1kB
6.8kB
10
9
23.206.78.251:443

cxcs.microsoft.net

tls

1.9kB
8.0kB
27
24
95.101.143.202:443

www.bing.com

tls

3.0kB
7.9kB
24
19

8.8.8.8:53

aka.ms

dns

Roblox Account Manager.exe

1.0kB
2.3kB
15
15

DNS Request

aka.ms

DNS Response

2.17.6.114

DNS Request

download.visualstudio.microsoft.com

DNS Response

68.232.34.200

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

api.github.com

DNS Response

20.26.156.210

DNS Request

210.156.26.20.in-addr.arpa

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.111.133

185.199.109.133

DNS Request

123.35.104.34.in-addr.arpa

DNS Request

objects.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

34.135.221.88.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

2.22.144.81

2.22.144.73

DNS Request

arc.msn.com

DNS Response

20.103.156.88

DNS Request

cxcs.microsoft.net

DNS Response

23.206.78.251

DNS Request

202.143.101.95.in-addr.arpa
8.8.8.8:53

114.6.17.2.in-addr.arpa

dns

894 B
2.3kB
13
13

DNS Request

114.6.17.2.in-addr.arpa

DNS Request

clientsettings.roblox.com

DNS Response

128.116.119.4

DNS Request

4.119.116.128.in-addr.arpa

DNS Request

storage.googleapis.com

DNS Response

216.58.214.91

142.250.179.123

172.217.20.219

142.250.178.155

142.250.74.251

142.250.179.91

216.58.215.59

142.250.201.187

172.217.20.187

142.250.75.251

216.58.214.187

DNS Request

133.110.199.185.in-addr.arpa

DNS Request

133.109.199.185.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

r.bing.com

DNS Response

88.221.135.34

88.221.135.35

88.221.135.26

88.221.135.11

88.221.135.33

95.101.143.202

95.101.143.193

88.221.135.27

88.221.135.42

DNS Request

fp.msedge.net

DNS Response

204.79.197.222

DNS Request

81.144.22.2.in-addr.arpa

DNS Request

254.129.123.52.in-addr.arpa

DNS Request

www.bing.com

DNS Response

95.101.143.202

88.221.135.25

88.221.135.27

88.221.135.35

95.101.143.195

88.221.135.33

88.221.135.34

88.221.135.11

88.221.135.42

DNS Request

self.events.data.microsoft.com

DNS Response

52.182.143.214
8.8.8.8:53

200.34.232.68.in-addr.arpa

dns

894 B
1.7kB
13
13

DNS Request

200.34.232.68.in-addr.arpa

DNS Request

github.com

DNS Response

20.26.156.215

DNS Request

edgedl.me.gvt1.com

DNS Response

34.104.35.123

DNS Request

215.156.26.20.in-addr.arpa

DNS Request

91.214.58.216.in-addr.arpa

DNS Request

aka.ms

DNS Response

2.17.6.114

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.227.13

DNS Request

13.227.111.52.in-addr.arpa

DNS Request

222.197.79.204.in-addr.arpa

DNS Request

dual-s-ring.msedge.net

DNS Response

52.123.129.254

52.123.128.254

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

251.78.206.23.in-addr.arpa

DNS Request

214.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584ead.rbs

Filesize
16KB

MD5
56a35d77ecf1856ba46f631951dcd5bd

SHA1
8d39c6a24cf16debedcc11df515b592767423b4d

SHA256
d233b71adba63ddb3527b86f9978ce114940ed7c1a91bf1141d6dafaccd11074

SHA512
47fe6fb54cdf5b0737ef61e57f4dab24a2bd2e53365e9b28e5c1dec7df45bc2bd0b5a4432d128180ffdce5fd7f609ed8b13f824663179cc5c3fc3e76332d45c9

Download Submit
C:\Config.Msi\e584eb2.rbs

Filesize
18KB

MD5
0a8377a3b0886fba19a9aeca9e6d8cf0

SHA1
3961426d7971d271ec003b7771372e090bad3e7d

SHA256
b3a727947a81f989a03f6cd4556486cd2f6ead46c5b2e89da064e90addede581

SHA512
23998c72f9e584b29ce0e7c71a964846a915d6b4a55c1ef03219cb9cda11b01ae58b9c83a06967e37c61afd7cc191a24ee4de00c8be26cb9638dabb38c1c9918

Download Submit
C:\Config.Msi\e584ebf.rbs

Filesize
20KB

MD5
2fc6c893369133fc033cb1d68c8321b6

SHA1
4d7097372525e3d021fde18867d55fca8661f2a8

SHA256
288b81170b70d0d5139f075cac1d06815233781ced44e47cec0a670214402632

SHA512
829d56537713e374e17ffa166c226015f0545c8dc5296976edf415941fb6b79f75fbb2484326387b3c1cf1649d2d24c77e5e13bc28e5a26ca0e9cab2a714e479

Download Submit
C:\Config.Msi\e584ece.rbs

Filesize
19KB

MD5
71eb56818b49053a7db322ab0cc32134

SHA1
cff1af11a3dc91cbc9230af7e5c06e971bd71d6d

SHA256
5090ee6f327a0518d92b99c2bc78edcb2262d6c00c099594f7a3dff89489c388

SHA512
c5c8c07ccd40740b65642e299e0cf4fe58fbeed81bf18b205503a69030d10d0e257ef898a4cb95efac438b7cf5c6b32047377743f74bc22b4c78d3d7ed709408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

Filesize
1KB

MD5
72c442c0ee7dde7b3455bb315289bcf2

SHA1
d33367411ce01348f531e098495885b9d2ea110b

SHA256
180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41

SHA512
b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-8-24.1336.956.1.odl

Filesize
706B

MD5
52ca7c7d72cf263717e21ba42ef77d00

SHA1
bfdc1da2880c5a07d6b772f23069fa12e97e4c3b

SHA256
9cd36320ec74971a518781e7ec5e0c152792af9776603fb22fa0b5881fe9c717

SHA512
477f6366d9e72850393eeeb083db1a50082c4f8444c2b918d20648805a02a58e498c44573125f436c3f23e980be2762c972f31853109459ec3a8b87dcba310ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auto Update.exe

Filesize
5.5MB

MD5
eb54116db322c49ec2faca86f725931e

SHA1
c703685ac6221d7de624039d7351886b21ca53fc

SHA256
5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e

SHA512
ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1014B

MD5
1d917eaf5dcc8e06dd032c33f3a3d36a

SHA1
1eacb4eced22393fd5140910d30070f2e054e2fe

SHA256
787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f

SHA512
3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
942B

MD5
f99fcdcfd630d18e441188092a56ae6a

SHA1
ffda4080b708554f32cd1fe1545298b40ce456f6

SHA256
3596dd7a1aa6d5ea2e030b7fc1b04e0eb4e58b01b4edd8d8f6d1882cfbea37fe

SHA512
291d4d942f8752c8eb1dee4d6f68c2d2b15e8e426f271968eb372470faca9bb6866184a4ee2b9e0d91f38b45327440c4f18601c1a16bfda2b98cfe524db69f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

Filesize
5.4MB

MD5
334728f32a1144c893fdffc579a7709b

SHA1
97d2eb634d45841c1453749acb911ce1303196c0

SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

SHA512
5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
d5e4966de947333592289d70916257a9

SHA1
5907df0fd07df6c33926906e94f4ed08d40be017

SHA256
d726d47b772a70fabc777c8ed46655fe5200e672f01f11dd95c5f4994e0a71e0

SHA512
c618054766bee664f0605a037f065c196c35495ee993b305f0bece4738ec9f7bd632dc8fb541bcf9d156f12e115455f31dd8db2a8cceb9d7d2f0d05d501831e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
0a86fa27d09e26491dbbb4fe27f4b410

SHA1
63e4b5afb8bdb67fc1d6f8dddeb40be20939289e

SHA256
2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d

SHA512
fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240824133514_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
574f0c715ade59a09e5fe38b5e6d3a1e

SHA1
bd6476c024b2fed40bf205410b802df5718ec155

SHA256
7c3d90352fbb85bfee9b8c3a7335a27771881f724c9860b036faa59063f72960

SHA512
addc34479629d3231b2fcb9f8aa04bc01d72436d2dc71639fd618ff0187977ef0b098e957ccd5c976396107a65fd2eefa80f7388bb2535f4e18f7ef574e06bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240824133514_001_vcRuntimeAdditional_x86.log

Filesize
3KB

MD5
45ea8363b988464bd62d24a07f598f4e

SHA1
4f249c11524b98dd56b9fe3de2f5984e70a0cd69

SHA256
136c48b839630064d205603fef3114be4b87ee0df5d75b27139d9f0c0802ae05

SHA512
10061d63e11d5bfe31e91a73a985a9e217565986a5dea1f3b9973480ab735e53435543ec212ed609f71148e7b16ecb0de4cbfe286f501278f97c604ead2d7a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.txt

Filesize
158B

MD5
f4a87ce515ccc1c7ce51a11a9867d7c4

SHA1
affb7235f8b6d6d5b4e0834d9022b704982d276b

SHA256
d38282975197a81f748459ba4c63b498f2f418f3380c3b6d2ce6006d47be043c

SHA512
4cbc9497769778512e980bb6cb32c2ccfba90b0f0998552a4c07ed6114cb5badcab498e6cec16d2e101ec8623a7a811c4c31a3dc7a073b1801dbe472b377c92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.txt

Filesize
585B

MD5
941757708295fccad6ac607b322ce792

SHA1
0e73740d64c170c97dd27e28433b3e05f705538a

SHA256
425667dd2c17f37b54577df46ac5aa01094437ab626c4de70a7a8da9b6a0098d

SHA512
eaa5a5270af87b71cb7cdf33181d8b335c5c03a3d1cd4c71e208f8a41bc6bbd0702990aeeb68be48e032c51fa9e402cb6a1213e47618a9c5b22991241e2ee2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

Filesize
13.2MB

MD5
8457542fd4be74cb2c3a92b3386ae8e9

SHA1
198722b4f5fc62721910569d9d926dce22730c22

SHA256
a32dd41eaab0c5e1eaa78be3c0bb73b48593de8d97a7510b97de3fd993538600

SHA512
91a6283f774f9e2338b65aa835156854e9e76aed32f821b13cfd070dd6c87e1542ce2d5845beb5e4af1ddb102314bb6e0ad6214d896bb3e387590a01eae0c182

Download Submit
C:\Windows\Temp\{4552967F-1F3A-45EB-A54A-B81352ABC5D5}\.cr\vcredist.tmp

Filesize
634KB

MD5
337b547d2771fdad56de13ac94e6b528

SHA1
3aeecc5933e7d8977e7a3623e8e44d4c3d0b4286

SHA256
81873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0

SHA512
0d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36

Download Submit
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
822KB

MD5
25bd21af44d3968a692e9b8a85f5c11d

SHA1
d805d1624553199529a82151f23a1330ac596888

SHA256
f4576ef2e843c282d2a932f7c55d71cc3fcbb35b0a17a0a640eb5f21731cc809

SHA512
ed3660183bf4e0d39e4f43a643007afc143b1d4ec0b45f0fdce28d8e896f646ec24a2a7a5429e8b10f4379cb4ffd1572adba10fc426990d05c0cafefdd87a4fb

Download Submit
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
3a7979fbe74502ddc0a9087ee9ca0bdf

SHA1
3c63238363807c2f254163769d0a582528e115af

SHA256
7327d37634cc8e966342f478168b8850bea36a126d002c38c7438a7bd557c4ca

SHA512
6435db0f210ad317f4cd00bb3300eb41fb86649f7a0e3a05e0f64f8d0163ab53dbdb3c98f99a15102ce09fcd437a148347bab7bfd4afe4c90ff2ea05bb4febff

Download Submit
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\vcRuntimeAdditional_x86

Filesize
180KB

MD5
2ba51e907b5ee6b2aef6dfe5914ae3e3

SHA1
6cc2c49734bf9965fe0f3977705a417ed8548718

SHA256
be137dc2b1ec7e85ae7a003a09537d3706605e34059361404ea3110874895e3a

SHA512
e3ba5aa8f366e3b1a92d8258daa74f327248fb21f168b7472b035f8d38f549f5f556eb9093eb8483ca51b78e9a77ee6e5b6e52378381cce50918d81e8e982d47

Download Submit
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\vcRuntimeMinimum_x86

Filesize
180KB

MD5
828f217e9513cfff708ffe62d238cfc5

SHA1
9fb65d4edb892bf940399d5fd6ae3a4b15c2e4ba

SHA256
a2ad58d741be5d40af708e15bf0dd5e488187bf28f0b699d391a9ef96f899886

SHA512
ffc72b92f1431bbd07889e28b55d14ea11f8401e2d0b180e43a898914209893941affacc0a4ea34eeefc9b0ca4bc84a3045591cd98aae6bdb11ae831dc6bb121

Download Submit
memory/1056-71-0x00000000050E0000-0x0000000005126000-memory.dmp

Filesize
280KB

Download
memory/1056-70-0x00000000001F0000-0x000000000075C000-memory.dmp

Filesize
5.4MB

Download
memory/1060-503-0x0000000000B00000-0x0000000000B77000-memory.dmp

Filesize
476KB

Download
memory/1568-4-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/1568-5-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/1568-1-0x0000000000B20000-0x000000000109A000-memory.dmp

Filesize
5.5MB

Download
memory/1568-15-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/1568-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/1568-7-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/1568-6-0x0000000005BA0000-0x0000000005BC6000-memory.dmp

Filesize
152KB

Download
memory/1568-3-0x0000000005B10000-0x0000000005B56000-memory.dmp

Filesize
280KB

Download
memory/1568-2-0x00000000061F0000-0x0000000006796000-memory.dmp

Filesize
5.6MB

Download
memory/2280-56-0x0000000009220000-0x0000000009296000-memory.dmp

Filesize
472KB

Download
memory/2280-54-0x0000000009150000-0x000000000915A000-memory.dmp

Filesize
40KB

Download
memory/2280-55-0x0000000009180000-0x0000000009192000-memory.dmp

Filesize
72KB

Download
memory/2280-62-0x00000000093F0000-0x000000000940E000-memory.dmp

Filesize
120KB

Download
memory/2620-504-0x0000000000B00000-0x0000000000B77000-memory.dmp

Filesize
476KB

Download
memory/2672-36-0x000000000D870000-0x000000000D88A000-memory.dmp

Filesize
104KB

Download
memory/2672-20-0x0000000006B60000-0x0000000006B6A000-memory.dmp

Filesize
40KB

Download
memory/2672-14-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2672-52-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2672-16-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2672-19-0x0000000006230000-0x00000000062A4000-memory.dmp

Filesize
464KB

Download
memory/2672-51-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2672-22-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2672-35-0x000000000D7A0000-0x000000000D876000-memory.dmp

Filesize
856KB

Download
memory/2672-37-0x000000000D8A0000-0x000000000D8A8000-memory.dmp

Filesize
32KB

Download
memory/2672-23-0x000000000B0A0000-0x000000000B0D4000-memory.dmp

Filesize
208KB

Download
memory/2672-34-0x000000000D770000-0x000000000D792000-memory.dmp

Filesize
136KB

Download
memory/2672-33-0x000000000D570000-0x000000000D622000-memory.dmp

Filesize
712KB

Download
memory/2672-31-0x000000000D490000-0x000000000D4E8000-memory.dmp

Filesize
352KB

Download
memory/2672-26-0x000000000B8A0000-0x000000000B8AA000-memory.dmp

Filesize
40KB

Download
memory/2672-25-0x000000000B6C0000-0x000000000B760000-memory.dmp

Filesize
640KB

Download
memory/2672-24-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/3616-466-0x0000000000B00000-0x0000000000B77000-memory.dmp

Filesize
476KB

Download
memory/3912-82-0x000000000A670000-0x000000000A6AA000-memory.dmp

Filesize
232KB

Download
memory/3912-96-0x000000000EDA0000-0x000000000F0F7000-memory.dmp

Filesize
3.3MB

Download
memory/3912-83-0x000000000AED0000-0x000000000AF70000-memory.dmp

Filesize
640KB

Download
memory/3912-93-0x000000000D050000-0x000000000D058000-memory.dmp

Filesize
32KB

Download
memory/3912-80-0x0000000005F50000-0x0000000005FC4000-memory.dmp

Filesize
464KB

Download
memory/3912-92-0x000000000FB00000-0x000000000FB50000-memory.dmp

Filesize
320KB

Download
memory/3912-544-0x0000000006DE0000-0x0000000006E1E000-memory.dmp

Filesize
248KB

Download
memory/3912-89-0x000000000CC80000-0x000000000CD74000-memory.dmp

Filesize
976KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request