hxxps://github[.]com/ic3w0lf22/Roblox-Account-Manager/releases/download/3[.]7[.]1/Roblox[.]Account[.]Manager[.]3[.]7[.]1[.]zip

Analysis

max time kernel
77s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 02:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	vcredist.tmp

Executes dropped EXE 3 IoCs

pid	Process
2416	vcredist.tmp
1900	vcredist.tmp
2608	VC_redist.x86.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	vcredist.tmp
2500	VC_redist.x86.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4373d0b5-4457-4a80-bad9-029de8df097b} = "\"C:\\ProgramData\\Package Cache\\{4373d0b5-4457-4a80-bad9-029de8df097b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	raw.githubusercontent.com
61	raw.githubusercontent.com

Drops file in System32 directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA93E.tmp	msiexec.exe
File created	C:\Windows\Installer\e589ec3.msi	msiexec.exe
File created	C:\Windows\Installer\e589eae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA276.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e589e9c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0BF.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D7A66DA5-B103-45C1-A0A7-736C08E2F464}	msiexec.exe
File created	C:\Windows\Installer\e589e9c.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e589ead.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e589eae.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0DF1D9F9-6038-4641-AB6D-13DD654758A7}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732618379154019"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Version = "237536280"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33816.0"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b}	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33816"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b}	VC_redist.x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b}	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{D7A66DA5-B103-45C1-A0A7-736C08E2F464}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7A66DA5-B103-45C1-A0A7-736C08E2F464}v14.40.33816\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\PackageCode = "74A59C9CB7128C440BC689986566ECC7"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\PackageCode = "91507CEA530B99A40B0EFDE1E0E92A0B"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Version = "237536280"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\9F9D1FD083061464BAD631DD5674857A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\PackageName = "vc_runtimeMinimum_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Servicing_Key	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4916	msiexec.exe
4916	msiexec.exe
4916	msiexec.exe
4916	msiexec.exe
4916	msiexec.exe
4916	msiexec.exe
4916	msiexec.exe
4916	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	Roblox Account Manager.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeDebugPrivilege	388	Roblox Account Manager.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe
Token: SeShutdownPrivilege	2608	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	2608	VC_redist.x86.exe
Token: SeSecurityPrivilege	4916	msiexec.exe
Token: SeCreateTokenPrivilege	2608	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	2608	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	2608	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	2608	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	2608	VC_redist.x86.exe
Token: SeTcbPrivilege	2608	VC_redist.x86.exe
Token: SeSecurityPrivilege	2608	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	2608	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	2608	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	2608	VC_redist.x86.exe
Token: SeSystemtimePrivilege	2608	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	2608	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	2608	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	2608	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	2608	VC_redist.x86.exe
Token: SeBackupPrivilege	2608	VC_redist.x86.exe
Token: SeRestorePrivilege	2608	VC_redist.x86.exe
Token: SeShutdownPrivilege	2608	VC_redist.x86.exe
Token: SeDebugPrivilege	2608	VC_redist.x86.exe
Token: SeAuditPrivilege	2608	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	2608	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	2608	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	2608	VC_redist.x86.exe
Token: SeUndockPrivilege	2608	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	2608	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	2608	VC_redist.x86.exe
Token: SeManageVolumePrivilege	2608	VC_redist.x86.exe
Token: SeImpersonatePrivilege	2608	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	2608	VC_redist.x86.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 1680	4008	chrome.exe	83
PID 4008 wrote to memory of 1680	4008	chrome.exe	83
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 4772	4008	chrome.exe	84
PID 4008 wrote to memory of 852	4008	chrome.exe	85
PID 4008 wrote to memory of 852	4008	chrome.exe	85
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86
PID 4008 wrote to memory of 4488	4008	chrome.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4855cc40,0x7ffe4855cc4c,0x7ffe4855cc58
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4576

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2056

C:\Users\Admin\Desktop\Roblox Account Manager.exe
"C:\Users\Admin\Desktop\Roblox Account Manager.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3784
- C:\Users\Admin\Desktop\Roblox Account Manager.exe
  "C:\Users\Admin\Desktop\Roblox Account Manager.exe" -restart
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
    "C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2416
  - - C:\Windows\Temp\{4E54CFC3-3FCB-427F-A232-0A58072C2FB0}\.cr\vcredist.tmp
      "C:\Windows\Temp\{4E54CFC3-3FCB-427F-A232-0A58072C2FB0}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=724 -burn.filehandle.self=728 /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1900
    - - C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{60798FCE-55A0-4BDC-8157-EAAD45992E18} {69BA9AD0-6C89-4ED1-A6CC-E6C3A61014C2} 1900
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=976 -burn.embedded BurnPipe.{5D9D1C76-8C91-4913-A118-F57B0FB1CE98} {76EA7A68-D4F1-4D59-9F93-653CFF7527D9} 2608
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=976 -burn.embedded BurnPipe.{5D9D1C76-8C91-4913-A118-F57B0FB1CE98} {76EA7A68-D4F1-4D59-9F93-653CFF7527D9} 2608
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{A757B420-1F0F-439E-BA7D-BC9714DC28FA} {5CBEF837-71B2-4625-AB96-5974CEB9B021} 2500
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

Network

DNS

github.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip

chrome.exe

Remote address:

20.26.156.215:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip HTTP/2.0
host: github.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

server: GitHub.com
date: Sun, 13 Oct 2024 02:57:18 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/262147801/17349d93-0fbd-4901-a195-0b455c71bd66?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241013%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241013T025718Z&X-Amz-Expires=300&X-Amz-Signature=ad76cd1da6c228060d1121b303b794de80b1e2b3b6e910baedf33c4539575da3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DRoblox.Account.Manager.3.7.1.zip&response-content-type=application%2Foctet-stream
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
content-length: 0
x-github-request-id: D353:3CBAB1:C9EEFC:E60A5B:670B370E
DNS

objects.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.108.133

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.111.133
GET

https://objects.githubusercontent.com/github-production-release-asset-2e65be/262147801/17349d93-0fbd-4901-a195-0b455c71bd66?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241013%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241013T025718Z&X-Amz-Expires=300&X-Amz-Signature=ad76cd1da6c228060d1121b303b794de80b1e2b3b6e910baedf33c4539575da3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DRoblox.Account.Manager.3.7.1.zip&response-content-type=application%2Foctet-stream

chrome.exe

Remote address:

185.199.109.133:443

Request

GET /github-production-release-asset-2e65be/262147801/17349d93-0fbd-4901-a195-0b455c71bd66?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241013%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241013T025718Z&X-Amz-Expires=300&X-Amz-Signature=ad76cd1da6c228060d1121b303b794de80b1e2b3b6e910baedf33c4539575da3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DRoblox.Account.Manager.3.7.1.zip&response-content-type=application%2Foctet-stream HTTP/2.0
host: objects.githubusercontent.com
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: application/octet-stream
last-modified: Mon, 12 Feb 2024 02:38:03 GMT
etag: "0x8DC2B73A33BA25E"
server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: f9a9a2c2-b01e-0010-5ba1-13243d000000
x-ms-version: 2023-11-03
x-ms-creation-time: Mon, 12 Feb 2024 02:38:03 GMT
x-ms-blob-content-md5: XU4HHJogBhl4vnnXxyEwaA==
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
content-disposition: attachment; filename=Roblox.Account.Manager.3.7.1.zip
x-ms-server-encrypted: true
via: 1.1 varnish, 1.1 varnish
fastly-restarts: 1
accept-ranges: bytes
age: 316
date: Sun, 13 Oct 2024 02:57:18 GMT
x-served-by: cache-iad-kjyo7100113-IAD, cache-lcy-eglc8600058-LCY
x-cache: HIT, HIT
x-cache-hits: 549, 0
x-timer: S1728788239.518754,VS0,VE75
content-length: 4420989
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

234.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.179.250.142.in-addr.arpa

IN PTR

Response

234.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f101e100net
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

133.109.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

70.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.209.201.84.in-addr.arpa

IN PTR

Response
DNS

70.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.209.201.84.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

aka.ms

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

aka.ms

IN A

Response

aka.ms

IN A

104.115.33.213
GET

https://aka.ms/vs/17/release/vc_redist.x86.exe

Roblox Account Manager.exe

Remote address:

104.115.33.213:443

Request

GET /vs/17/release/vc_redist.x86.exe HTTP/1.1
Host: aka.ms
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Content-Length: 0
Server: Kestrel
Location: https://download.visualstudio.microsoft.com/download/pr/5cc0a375-ebc5-4a27-8a76-aa43097a8949/ED1967C2AC27D806806D121601B526F84E497AE1B99ED139C0C4C6B50147DF4A/VC_redist.x86.exe
Request-Context: appId=cid-v1:9b037ab9-fa5a-4c09-81bd-41ffa859f01e
X-Response-Cache-Status: True
Expires: Sun, 13 Oct 2024 02:58:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Oct 2024 02:58:09 GMT
Connection: keep-alive
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
DNS

download.visualstudio.microsoft.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

download.visualstudio.microsoft.com

IN A

Response

download.visualstudio.microsoft.com

IN CNAME

visualstudio-geo.trafficmanager.net

visualstudio-geo.trafficmanager.net

IN CNAME

fg.microsoft.map.fastly.net

fg.microsoft.map.fastly.net

IN A

199.232.214.172

fg.microsoft.map.fastly.net

IN A

199.232.210.172
GET

https://download.visualstudio.microsoft.com/download/pr/5cc0a375-ebc5-4a27-8a76-aa43097a8949/ED1967C2AC27D806806D121601B526F84E497AE1B99ED139C0C4C6B50147DF4A/VC_redist.x86.exe

Roblox Account Manager.exe

Remote address:

199.232.214.172:443

Request

GET /download/pr/5cc0a375-ebc5-4a27-8a76-aa43097a8949/ED1967C2AC27D806806D121601B526F84E497AE1B99ED139C0C4C6B50147DF4A/VC_redist.x86.exe HTTP/1.1
Host: download.visualstudio.microsoft.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 13950496
Cache-Control: public, max-age=259200
Content-Disposition: attachment; filename=VC_redist.x86.exe; filename*=UTF-8''VC_redist.x86.exe
Content-Type: application/octet-stream
Etag: "0x070C730E962FDF32534C7E2A05168650A5F57495F770FF2E399B69BA667FB49F"
Last-Modified: Fri, 27 Sep 2024 10:57:38 GMT
X-Ms-ApiVersion: Distribute 1.2
X-Ms-Region: prod-neu-z1
Accept-Ranges: bytes
Date: Sun, 13 Oct 2024 02:58:09 GMT
Via: 1.1 varnish
Age: 122066
X-Served-By: cache-lon4283-LON
X-Cache: HIT
X-Cache-Hits: 169
X-Timer: S1728788289.206748,VS0,VE0
X-CID: 3
X-CCC: GB
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

api.github.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

api.github.com

IN A

Response

api.github.com

IN A

20.26.156.210
DNS

clientsettings.roblox.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

clientsettings.roblox.com

IN A

Response

clientsettings.roblox.com

IN CNAME

titanium.roblox.com

titanium.roblox.com

IN CNAME

edge-term4.roblox.com

edge-term4.roblox.com

IN CNAME

edge-term4-cdg1.roblox.com

edge-term4-cdg1.roblox.com

IN A

128.116.122.4
GET

https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

Roblox Account Manager.exe

Remote address:

20.26.156.210:443

Request

GET /repos/ic3w0lf22/Roblox-Account-Manager/releases/latest HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Host: api.github.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 13 Oct 2024 02:58:10 GMT
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=60, s-maxage=60
Vary: Accept,Accept-Encoding, Accept, X-Requested-With
ETag: W/"e0f176529a5e3906fef3246284284fe0803071b588b70bde9e2db72b326c63c5"
Last-Modified: Thu, 18 Jul 2024 01:37:43 GMT
X-GitHub-Media-Type: github.v3; format=json
x-github-api-version-selected: 2022-11-28
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'
Server: github.com
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
X-RateLimit-Reset: 1728791890
X-RateLimit-Resource: core
X-RateLimit-Used: 1
Accept-Ranges: bytes
Content-Length: 4024
X-GitHub-Request-Id: D404:3C46EC:A92626:B4FA74:670B3742
GET

https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

Roblox Account Manager.exe

Remote address:

128.116.122.4:443

Request

GET /v1/client-version/WindowsPlayer HTTP/1.1
Host: clientsettings.roblox.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

content-length: 119
content-type: application/json; charset=utf-8
date: Sun, 13 Oct 2024 02:58:10 GMT
server: Kestrel
cache-control: public, must-revalidate, max-age=30, stale-while-revalidate=3
strict-transport-security: max-age=3600
x-frame-options: SAMEORIGIN
roblox-machine-id: 0c42c31d-6d11-b2f0-b08f-0c067fe19c83
x-roblox-region: us-central_rbx
x-roblox-edge: c076
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
DNS

github.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

Roblox Account Manager.exe

Remote address:

20.26.156.215:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sun, 13 Oct 2024 02:58:11 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: D40A:3CBAB1:CA005C:E61E9C:670B3743
GET

https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip

Roblox Account Manager.exe

Remote address:

34.104.35.123:443

Request

GET /edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip HTTP/1.1
Host: edgedl.me.gvt1.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

last-modified: Wed, 02 May 2007 10:26:10 GMT
date: Sun, 13 Oct 2024 02:58:11 GMT
expires: Sun, 13 Oct 2024 03:13:11 GMT
cache-control: public, max-age=900
location: https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip
content-length: 0
x-content-type-options: nosniff
content-type: text/html
server: Google-Edge-Cache
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000
x-request-id: 0b33f24f-ccd3-4941-bea8-10ea50639672
DNS

raw.githubusercontent.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133
DNS

storage.googleapis.com

Roblox Account Manager.exe

Remote address:

8.8.8.8:53

Request

storage.googleapis.com

IN A

Response

storage.googleapis.com

IN A

216.58.212.251

storage.googleapis.com

IN A

142.250.179.251

storage.googleapis.com

IN A

172.217.169.27

storage.googleapis.com

IN A

142.250.200.27

storage.googleapis.com

IN A

216.58.212.219

storage.googleapis.com

IN A

172.217.169.91

storage.googleapis.com

IN A

142.250.187.219

storage.googleapis.com

IN A

142.250.178.27

storage.googleapis.com

IN A

216.58.201.123

storage.googleapis.com

IN A

216.58.204.91

storage.googleapis.com

IN A

142.250.187.251

storage.googleapis.com

IN A

142.250.180.27

storage.googleapis.com

IN A

172.217.16.251

storage.googleapis.com

IN A

142.250.200.59
GET

https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

Roblox Account Manager.exe

Remote address:

185.199.111.133:443

Request

GET /ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 712
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "6504a8f1f84c961d1505a765a5f721ff8cd0b5f0f12ed8226f135185f6667f5c"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 71A9:89A00:15226A:1AE8EC:67021926
Accept-Ranges: bytes
Date: Sun, 13 Oct 2024 02:58:11 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420135-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1728788292.510768,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 2a9d5356768d4dbee384d7810e3a423618d8e993
Expires: Sun, 13 Oct 2024 03:03:11 GMT
Source-Age: 228
DNS

210.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.156.26.20.in-addr.arpa

IN PTR

Response
DNS

4.122.116.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.122.116.128.in-addr.arpa

IN PTR

Response
DNS

123.35.104.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.35.104.34.in-addr.arpa

IN PTR

Response

123.35.104.34.in-addr.arpa

IN PTR

1233510434bcgoogleusercontentcom
GET

https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip

Roblox Account Manager.exe

Remote address:

216.58.212.251:443

Request

GET /chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip HTTP/1.1
Host: storage.googleapis.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Expires: Sun, 13 Oct 2024 03:58:11 GMT
Date: Sun, 13 Oct 2024 02:58:11 GMT
Cache-Control: public, max-age=3600
Last-Modified: Fri, 16 Feb 2024 17:24:10 GMT
ETag: "1e4774981a1b068c301d9282bb38706e"
x-goog-generation: 1708104250635651
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 150638219
Content-Type: application/zip
x-goog-hash: crc32c=9AQkeg==
x-goog-hash: md5=Hkd0mBobBowwHZKCuzhwbg==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 150638219
X-GUploader-UploadID: AHmUCY1SUJkHO3_pm3HMjB9athczbpyT7-00LPLYNQ88DDnHUV41g_7YjmF-2yqLPkNDbvwWLpMG96sZrw
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

251.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.212.58.216.in-addr.arpa

IN PTR

Response

251.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f271e100net

251.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f27�I

251.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f251�I
DNS

103.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.209.201.84.in-addr.arpa

IN PTR

Response
DNS

103.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.209.201.84.in-addr.arpa

IN PTR
DNS

246.197.219.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

246.197.219.23.in-addr.arpa

IN PTR

Response

246.197.219.23.in-addr.arpa

IN PTR

a23-219-197-246deploystaticakamaitechnologiescom

20.26.156.215:443

https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip

tls, http2

chrome.exe

1.9kB
8.6kB
14
14

HTTP Request

GET https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip

HTTP Response

302
185.199.109.133:443

https://objects.githubusercontent.com/github-production-release-asset-2e65be/262147801/17349d93-0fbd-4901-a195-0b455c71bd66?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241013%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241013T025718Z&X-Amz-Expires=300&X-Amz-Signature=ad76cd1da6c228060d1121b303b794de80b1e2b3b6e910baedf33c4539575da3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DRoblox.Account.Manager.3.7.1.zip&response-content-type=application%2Foctet-stream

tls, http2

chrome.exe

81.0kB
4.6MB
1725
3282

HTTP Request

GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/262147801/17349d93-0fbd-4901-a195-0b455c71bd66?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241013%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241013T025718Z&X-Amz-Expires=300&X-Amz-Signature=ad76cd1da6c228060d1121b303b794de80b1e2b3b6e910baedf33c4539575da3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DRoblox.Account.Manager.3.7.1.zip&response-content-type=application%2Foctet-stream

HTTP Response

200
104.115.33.213:443

https://aka.ms/vs/17/release/vc_redist.x86.exe

tls, http

Roblox Account Manager.exe

904 B
5.4kB
11
11

HTTP Request

GET https://aka.ms/vs/17/release/vc_redist.x86.exe

HTTP Response

301
199.232.214.172:443

https://download.visualstudio.microsoft.com/download/pr/5cc0a375-ebc5-4a27-8a76-aa43097a8949/ED1967C2AC27D806806D121601B526F84E497AE1B99ED139C0C4C6B50147DF4A/VC_redist.x86.exe

tls, http

Roblox Account Manager.exe

252.6kB
14.4MB
5391
10315

HTTP Request

GET https://download.visualstudio.microsoft.com/download/pr/5cc0a375-ebc5-4a27-8a76-aa43097a8949/ED1967C2AC27D806806D121601B526F84E497AE1B99ED139C0C4C6B50147DF4A/VC_redist.x86.exe

HTTP Response

200
20.26.156.210:443

https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

tls, http

Roblox Account Manager.exe

900 B
9.2kB
8
10

HTTP Request

GET https://api.github.com/repos/ic3w0lf22/Roblox-Account-Manager/releases/latest

HTTP Response

200
128.116.122.4:443

https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

tls, http

Roblox Account Manager.exe

771 B
6.5kB
8
9

HTTP Request

GET https://clientsettings.roblox.com/v1/client-version/WindowsPlayer

HTTP Response

200
20.26.156.215:443

https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

tls, http

Roblox Account Manager.exe

945 B
7.9kB
11
11

HTTP Request

GET https://github.com/ic3w0lf22/Roblox-Account-Manager/raw/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

HTTP Response

302
34.104.35.123:443

https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip

tls, http

Roblox Account Manager.exe

796 B
5.6kB
8
9

HTTP Request

GET https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/119.0.6045.105/win64/chrome-win64.zip

HTTP Response

302
185.199.111.133:443

https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

tls, http

Roblox Account Manager.exe

925 B
6.0kB
10
13

HTTP Request

GET https://raw.githubusercontent.com/ic3w0lf22/Roblox-Account-Manager/master/RBX%20Alt%20Manager/Resources/WatcherRegexMatches.txt

HTTP Response

200
216.58.212.251:443

https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip

tls, http

Roblox Account Manager.exe

3.2MB
155.8MB
63419
111537

HTTP Request

GET https://storage.googleapis.com/chrome-for-testing-public/119.0.6045.105/win64/chrome-win64.zip

HTTP Response

200

8.8.8.8:53

github.com

dns

Roblox Account Manager.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

objects.githubusercontent.com

dns

chrome.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.109.133

185.199.108.133

185.199.110.133

185.199.111.133
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

234.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.179.250.142.in-addr.arpa
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

133.109.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.109.199.185.in-addr.arpa
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

70.209.201.84.in-addr.arpa

dns

144 B
132 B
2
1

DNS Request

70.209.201.84.in-addr.arpa

DNS Request

70.209.201.84.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

aka.ms

dns

Roblox Account Manager.exe

52 B
68 B
1
1

DNS Request

aka.ms

DNS Response

104.115.33.213
8.8.8.8:53

download.visualstudio.microsoft.com

dns

Roblox Account Manager.exe

81 B
200 B
1
1

DNS Request

download.visualstudio.microsoft.com

DNS Response

199.232.214.172

199.232.210.172
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

api.github.com

dns

Roblox Account Manager.exe

60 B
76 B
1
1

DNS Request

api.github.com

DNS Response

20.26.156.210
8.8.8.8:53

clientsettings.roblox.com

dns

Roblox Account Manager.exe

71 B
165 B
1
1

DNS Request

clientsettings.roblox.com

DNS Response

128.116.122.4
8.8.8.8:53

github.com

dns

Roblox Account Manager.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

raw.githubusercontent.com

dns

Roblox Account Manager.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.108.133

185.199.110.133

185.199.109.133
8.8.8.8:53

storage.googleapis.com

dns

Roblox Account Manager.exe

68 B
292 B
1
1

DNS Request

storage.googleapis.com

DNS Response

216.58.212.251

142.250.179.251

172.217.169.27

142.250.200.27

216.58.212.219

172.217.169.91

142.250.187.219

142.250.178.27

216.58.201.123

216.58.204.91

142.250.187.251

142.250.180.27

172.217.16.251

142.250.200.59
8.8.8.8:53

210.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

210.156.26.20.in-addr.arpa
8.8.8.8:53

4.122.116.128.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

4.122.116.128.in-addr.arpa
8.8.8.8:53

123.35.104.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

123.35.104.34.in-addr.arpa
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

251.212.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

251.212.58.216.in-addr.arpa
8.8.8.8:53

103.209.201.84.in-addr.arpa

dns

146 B
133 B
2
1

DNS Request

103.209.201.84.in-addr.arpa

DNS Request

103.209.201.84.in-addr.arpa
8.8.8.8:53

246.197.219.23.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

246.197.219.23.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e589ea1.rbs

Filesize
16KB

MD5
0f87d8b8397e5ffa225602a309b20345

SHA1
90f5f3e0c038701dbdfacb4147feeb942b253e39

SHA256
bb6ef45cc8c10342e719266d03bd3744b3174c1aa93cfaf56f6d8947455987ed

SHA512
2fa136235b40e3542fa0877fa9258f892320ec8b1223f19f2fa40c6f85b76682b8c78501896551d243dbc8b738f6ac36828c6e7255f2d32309757caa02d8aa28

Download Submit
C:\Config.Msi\e589ea6.rbs

Filesize
18KB

MD5
dd6645ba521bbacfe31741b5e471d47d

SHA1
f7be38ad2f6110524a07a786e26ece528ca0cee2

SHA256
a83eb91f382702bb3740b349b72acbbe5477a93d3c1d96cb6f0824881456150b

SHA512
aa7b25517769c1b07d2531ede080aa9a27f7e1b931492deefb3b8354f5cdbcf078543344216e9f8afbfd58ae2def7025a37d7a64dd38c81c6e86c3245351aae7

Download Submit
C:\Config.Msi\e589eb3.rbs

Filesize
20KB

MD5
e10418398e9c984547205d968661bc17

SHA1
1970f3ce0a45d65e2afb9c30a26c31f29b225f4c

SHA256
50501db6eaa1e79654c2b25306bd950c084b23f24aa339ce37670e7ab8d1dc39

SHA512
2802e52ca462876bf0021138d8bf8fe20f95975181f4608df4fc519f0a78d50806bfb62196330b7660790a7b98ac735d5e4fbf75accb2ba1176a743b922d5e46

Download Submit
C:\Config.Msi\e589ec2.rbs

Filesize
19KB

MD5
dddecfc0c580fd922505c391088a7007

SHA1
bc8be35a38baa87e8f080ad439f4f54ce8288643

SHA256
67666eed8df133e32e806d4e37c8b7ef30a19dd93a20f8a9a914c10bd62b52a6

SHA512
59ed37af8b6c3fe06abc68cd34aa6e0710d72b3d26abf949409a405e7fee496e0c1fae368bdbcb7762b8fe7b7606107863386769685b64c91ef84c784d4b18e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ec560eb94ef3fb57af28cebbbbf75bb7

SHA1
8b8e19ee8422ee5edf2348a89b441bba3f65a607

SHA256
528ae5ae29d2059a15d5eddb88204d978614d1d5eba8ae64e57b0cb436b2c2fa

SHA512
e34800325b8f7f70b2f500ecb256e6f338283dd8807ca6adcab8098bc3873f2225319e8d4b8cdd0c726858894f85c02f5de6a6bba39e0184c4dadc6be4aa4631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
ca84214924fef45f0f682e968785c614

SHA1
5a468b474c04d4f8e533db1201b45438d6ad2f6d

SHA256
7e421c90702b17a29b97cfcf73da0bf9868be6aa4c5e4844ee8efc24420594cc

SHA512
b8d4263839a622d6bfc95b904eb94bd6ca005c891bc3af930d7d6d8a7ecfc60099fe32492a6d54e04ffb8eb087493aa454fb5d555ba79daacfe8a8f50601c8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fa061e5c4649fd6034da742573bd403f

SHA1
1c00becc2c29321615012de6b76584adce9010d4

SHA256
98dcbfaf10f80759060f5750c03ca53c60b2d78d6a33c3b6b454add4ac17dd54

SHA512
2fb5a8967c0db402221b52d14ea8e758fc1646d6dcd0876ce3824275367e3c3010e3d4523ee7ef35792176283c2675f6c6c0178f95bf470a334fbd5d88348934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
05fee561f5d5d05836e940d616b144a5

SHA1
5f322c8dbfe74ae84adf142c7f9ee120355c3cef

SHA256
3358d0420003fdb501f2a171117c70c3652ab5153f47798336d0e8601c6f420c

SHA512
c1e5bd578773ed2a4efd56c585bb3369167a3c3e00a03ca44ece6779bb0007db29301c42f0b943f2f3b8fa868638fb9b70a5e49dcef29f3ddbf8c9f185b54487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a3e60837466c09a0c1bcf5c21f3b58bc

SHA1
eefb7c8cb98a8031859587ba9c77dcef224cb318

SHA256
62b69f7ef9d5c44a638a7a8e6bedd34f5e884d32b82827bbbb97bddec05a9741

SHA512
53fcf9422cb041cdce12c5e7c9ef8a00ea27446e1f608b2296b0b4ddf8b93b540fd6dccd1bd71d5ce5560f0c6beebbd78560ffb56d675d16b24d84b7cf89e3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

Filesize
1KB

MD5
a02e8a8a790f0e0861e3b6b0dbe56062

SHA1
a3e65805e5c78641cafebc1052906d7350da9d2e

SHA256
7fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594

SHA512
108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241013025810_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
55aabfbe6e26dfb37b485a471fd9115e

SHA1
360afa444f6e9a2379ec4534e869fe6ec58db4b1

SHA256
14629c35e4d987b6e75ba8933dd80bf173e2d84341009f6212b16f127deb8b2c

SHA512
a8656059125a956d40824bf9fd1e163875cd1ae6b78ad367ca4fdb9b4dc16b7170dbd61870bdd330c733f9a01cc010dce4ef436a1d7782229193ae79b583e8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241013025810_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
955427b38554df5321e20a6e1eb6cf8f

SHA1
a778626d2782fa4f211ea0a3d5bc203cf687d3c8

SHA256
80242a443e0e250c3d02ff8526a64b233df7743b494bead7e7b78465d8b10ece

SHA512
85c05dac19b136431562311192fb73f90d2d5918b9df47a7679c25fd85093d15d671670fdb026d6ee8e2a4f958275d71d1f9a8dd271735678d0b50b28d056119

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

Filesize
13.3MB

MD5
d38126688b5647bf209606d07a90c2e6

SHA1
467bb2c862def52f2858e5158c96f7ac6d6dcab2

SHA256
ed1967c2ac27d806806d121601b526f84e497ae1b99ed139c0c4c6b50147df4a

SHA512
8a0991b993d5206450228454b4f83251cc311cc2b0dd105494928e03bf2e865de8ccf9676c8e7453164bb1805929a3a9616ea020524b77dbc0a6bbca0d222daf

Download Submit
C:\Users\Admin\Desktop\RAMSettings.ini

Filesize
1014B

MD5
1d917eaf5dcc8e06dd032c33f3a3d36a

SHA1
1eacb4eced22393fd5140910d30070f2e054e2fe

SHA256
787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f

SHA512
3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

Download Submit
C:\Users\Admin\Desktop\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\Desktop\Roblox Account Manager.exe.config

Filesize
6KB

MD5
d5e4966de947333592289d70916257a9

SHA1
5907df0fd07df6c33926906e94f4ed08d40be017

SHA256
d726d47b772a70fabc777c8ed46655fe5200e672f01f11dd95c5f4994e0a71e0

SHA512
c618054766bee664f0605a037f065c196c35495ee993b305f0bece4738ec9f7bd632dc8fb541bcf9d156f12e115455f31dd8db2a8cceb9d7d2f0d05d501831e9

Download Submit
C:\Users\Admin\Desktop\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.7.1.zip.crdownload

Filesize
4.2MB

MD5
5d4e071c9a20061978be79d7c7213068

SHA1
c388cb6e43646845d2366bcfe275cfabe7707518

SHA256
c260b8bfacd5be41c48c74e53de2a8fa389c3ec293846ddc7255abd9ff02261b

SHA512
def6415512e5ed67a588c4d3b4c574c22a2431faf1df92cb080913e7bd6c2ecf73cd16371dc12500221d4aa43e9bbfdac3b78f5da6a1a1d5a5d156bed2ff7f32

Download Submit
C:\Windows\Temp\{1CFBB38E-4603-43C3-A5A5-26F7820C723B}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{4E54CFC3-3FCB-427F-A232-0A58072C2FB0}\.cr\vcredist.tmp

Filesize
669KB

MD5
38b9328b53a786141dc7d54992aa03bc

SHA1
b3de0981128c8170b70e977a21c6c7e3e8437d8f

SHA256
32e2651799071c5e6c51bdaf0df7823526b25b2f34c01f9472bb159044d62c11

SHA512
b5ac7f0675feea295be0553520fd5341e5122ea1e33d2eaffa5d9f9170f5c97b30ea5db25774c00a69ecc48f018412bb1795e357aafc7565e242e5e4025527e2

Download Submit
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
828KB

MD5
c15278501772ebaf95ab908b94a552f2

SHA1
cf9c8ae523d9a6ed2797be072c9f659b9ed5dadb

SHA256
17d7bcb6c05f6c422f1bfbf5db923fc7d1427ec578968b75403830e759853b07

SHA512
f109a3af129b0025bd6dfb141d27e3d336145bc70c1fde590e44e4402d479680ca91ac0bc8cf8cd854e05a74c649719822218b2a1f58f75cbbaa9f03c9aeaf93

Download Submit
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
5.0MB

MD5
512cc3e31ba72999bd0be1ff2faf59df

SHA1
56210834f64afa1800def2bc26d421e78c056639

SHA256
55b0b98e9222a6f43c644bbf6f642267535d08270dce52c09e0f31b98385ffb0

SHA512
3c912488fdbd9b6f01e87a189f825b77c186d018df9ed27fe554644eb0b40fdeac8903f7ee99a77c740c75b27056fd7977e47810144714052539308d16a7df67

Download Submit
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\vcRuntimeAdditional_x86

Filesize
200KB

MD5
4879fe953ed435ca08589645b8eec144

SHA1
bc58d6f3ed69be01690d97c59dafda612cbc5f2b

SHA256
0ddc3f10282fdb663ac92ce5930e46cf996a4b42b592b9911b4001d12d4178bc

SHA512
222cb3f93b5d759c87077716f9cc95f152997e6c95a13aae8a4e789c274836ba41a03b6e08926135efdc8cd8413b47f02f34ddd4f6c7622ea98458b6e06d24ce

Download Submit
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\vcRuntimeMinimum_x86

Filesize
200KB

MD5
aebc9db05b27963bdd7dc5f3c7eca0a9

SHA1
31d6f6cabd5fbfb7c2899d481f18e18930dbfdfd

SHA256
d9598b33dc795da4cbd520b790c45507cbce3976576e0e506b388c5f7ac3290c

SHA512
564d945821d80e27fdffcfdafd79c72d498018067a74e85fd6ee595a6a09453ae0fb1df41b430f656001bafc1b0b89c5433bd5aae48c179daa7a8a8732090c63

Download Submit
memory/388-231-0x000000000C740000-0x000000000C74A000-memory.dmp

Filesize
40KB

Download
memory/388-232-0x000000000C770000-0x000000000C782000-memory.dmp

Filesize
72KB

Download
memory/388-160-0x000000000D6B0000-0x000000000D786000-memory.dmp

Filesize
856KB

Download
memory/388-161-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/388-162-0x0000000007590000-0x0000000007598000-memory.dmp

Filesize
32KB

Download
memory/388-158-0x0000000007440000-0x00000000074F2000-memory.dmp

Filesize
712KB

Download
memory/388-156-0x0000000007360000-0x00000000073B8000-memory.dmp

Filesize
352KB

Download
memory/388-151-0x000000000B850000-0x000000000B85A000-memory.dmp

Filesize
40KB

Download
memory/388-150-0x000000000BEC0000-0x000000000BF60000-memory.dmp

Filesize
640KB

Download
memory/388-227-0x000000000C2D0000-0x000000000C2D8000-memory.dmp

Filesize
32KB

Download
memory/388-226-0x000000000C310000-0x000000000C360000-memory.dmp

Filesize
320KB

Download
memory/388-228-0x000000000C360000-0x000000000C6B4000-memory.dmp

Filesize
3.3MB

Download
memory/388-149-0x000000000B2B0000-0x000000000B2E4000-memory.dmp

Filesize
208KB

Download
memory/388-159-0x0000000007540000-0x0000000007562000-memory.dmp

Filesize
136KB

Download
memory/388-147-0x0000000006610000-0x000000000661A000-memory.dmp

Filesize
40KB

Download
memory/388-146-0x0000000006590000-0x0000000006604000-memory.dmp

Filesize
464KB

Download
memory/2256-580-0x0000000000D90000-0x0000000000E07000-memory.dmp

Filesize
476KB

Download
memory/2500-579-0x0000000000D90000-0x0000000000E07000-memory.dmp

Filesize
476KB

Download
memory/3784-143-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3784-136-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3784-135-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/3784-134-0x0000000005ED0000-0x0000000005EF6000-memory.dmp

Filesize
152KB

Download
memory/3784-133-0x0000000005FD0000-0x0000000006062000-memory.dmp

Filesize
584KB

Download
memory/3784-132-0x0000000005DC0000-0x0000000005E06000-memory.dmp

Filesize
280KB

Download
memory/3784-131-0x00000000064E0000-0x0000000006A84000-memory.dmp

Filesize
5.6MB

Download
memory/3784-130-0x0000000000F40000-0x00000000014BA000-memory.dmp

Filesize
5.5MB

Download
memory/3784-129-0x000000007521E000-0x000000007521F000-memory.dmp

Filesize
4KB

Download
memory/4964-542-0x0000000000D90000-0x0000000000E07000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.