Analysis
-
max time kernel
77s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 02:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vcredist.tmp -
Executes dropped EXE 3 IoCs
pid Process 2416 vcredist.tmp 1900 vcredist.tmp 2608 VC_redist.x86.exe -
Loads dropped DLL 2 IoCs
pid Process 1900 vcredist.tmp 2500 VC_redist.x86.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4373d0b5-4457-4a80-bad9-029de8df097b} = "\"C:\\ProgramData\\Package Cache\\{4373d0b5-4457-4a80-bad9-029de8df097b}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 59 raw.githubusercontent.com 61 raw.githubusercontent.com -
Drops file in System32 directory 49 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mfcm140u.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File created C:\Windows\SysWOW64\vcruntime140_threads.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\concrt140.dll msiexec.exe File created C:\Windows\SysWOW64\concrt140.dll msiexec.exe File created C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File created C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA93E.tmp msiexec.exe File created C:\Windows\Installer\e589ec3.msi msiexec.exe File created C:\Windows\Installer\e589eae.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA276.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA6EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\e589e9c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA0BF.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{D7A66DA5-B103-45C1-A0A7-736C08E2F464} msiexec.exe File created C:\Windows\Installer\e589e9c.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e589ead.msi msiexec.exe File opened for modification C:\Windows\Installer\e589eae.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0DF1D9F9-6038-4641-AB6D-13DD654758A7} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Account Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Account Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TypedURLs Roblox Account Manager.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732618379154019" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} VC_redist.x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Version = "237536280" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\PackageName = "vc_runtimeAdditional_x86.msi" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33816.0" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} VC_redist.x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents VC_redist.x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33816" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} VC_redist.x86.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} VC_redist.x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\AuthorizedLUAApp = "0" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{D7A66DA5-B103-45C1-A0A7-736C08E2F464}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7A66DA5-B103-45C1-A0A7-736C08E2F464}v14.40.33816\\packages\\vcRuntimeMinimum_x86\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\PackageCode = "74A59C9CB7128C440BC689986566ECC7" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\PackageCode = "91507CEA530B99A40B0EFDE1E0E92A0B" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Version = "237536280" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\9F9D1FD083061464BAD631DD5674857A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\PackageName = "vc_runtimeMinimum_x86.msi" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\VC_Runtime_Minimum msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Servicing_Key msiexec.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe 4916 msiexec.exe 4916 msiexec.exe 4916 msiexec.exe 4916 msiexec.exe 4916 msiexec.exe 4916 msiexec.exe 4916 msiexec.exe 4916 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 388 Roblox Account Manager.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeDebugPrivilege 388 Roblox Account Manager.exe Token: SeBackupPrivilege 2496 vssvc.exe Token: SeRestorePrivilege 2496 vssvc.exe Token: SeAuditPrivilege 2496 vssvc.exe Token: SeShutdownPrivilege 2608 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 2608 VC_redist.x86.exe Token: SeSecurityPrivilege 4916 msiexec.exe Token: SeCreateTokenPrivilege 2608 VC_redist.x86.exe Token: SeAssignPrimaryTokenPrivilege 2608 VC_redist.x86.exe Token: SeLockMemoryPrivilege 2608 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 2608 VC_redist.x86.exe Token: SeMachineAccountPrivilege 2608 VC_redist.x86.exe Token: SeTcbPrivilege 2608 VC_redist.x86.exe Token: SeSecurityPrivilege 2608 VC_redist.x86.exe Token: SeTakeOwnershipPrivilege 2608 VC_redist.x86.exe Token: SeLoadDriverPrivilege 2608 VC_redist.x86.exe Token: SeSystemProfilePrivilege 2608 VC_redist.x86.exe Token: SeSystemtimePrivilege 2608 VC_redist.x86.exe Token: SeProfSingleProcessPrivilege 2608 VC_redist.x86.exe Token: SeIncBasePriorityPrivilege 2608 VC_redist.x86.exe Token: SeCreatePagefilePrivilege 2608 VC_redist.x86.exe Token: SeCreatePermanentPrivilege 2608 VC_redist.x86.exe Token: SeBackupPrivilege 2608 VC_redist.x86.exe Token: SeRestorePrivilege 2608 VC_redist.x86.exe Token: SeShutdownPrivilege 2608 VC_redist.x86.exe Token: SeDebugPrivilege 2608 VC_redist.x86.exe Token: SeAuditPrivilege 2608 VC_redist.x86.exe Token: SeSystemEnvironmentPrivilege 2608 VC_redist.x86.exe Token: SeChangeNotifyPrivilege 2608 VC_redist.x86.exe Token: SeRemoteShutdownPrivilege 2608 VC_redist.x86.exe Token: SeUndockPrivilege 2608 VC_redist.x86.exe Token: SeSyncAgentPrivilege 2608 VC_redist.x86.exe Token: SeEnableDelegationPrivilege 2608 VC_redist.x86.exe Token: SeManageVolumePrivilege 2608 VC_redist.x86.exe Token: SeImpersonatePrivilege 2608 VC_redist.x86.exe Token: SeCreateGlobalPrivilege 2608 VC_redist.x86.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4008 wrote to memory of 1680 4008 chrome.exe 83 PID 4008 wrote to memory of 1680 4008 chrome.exe 83 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 4772 4008 chrome.exe 84 PID 4008 wrote to memory of 852 4008 chrome.exe 85 PID 4008 wrote to memory of 852 4008 chrome.exe 85 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 PID 4008 wrote to memory of 4488 4008 chrome.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.1/Roblox.Account.Manager.3.7.1.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4855cc40,0x7ffe4855cc4c,0x7ffe4855cc582⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:22⤵PID:4772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:32⤵PID:852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:82⤵PID:4488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:2052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:82⤵PID:768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,10933780519558145855,17180748148889248428,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:4576
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2056
-
C:\Users\Admin\Desktop\Roblox Account Manager.exe"C:\Users\Admin\Desktop\Roblox Account Manager.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3784 -
C:\Users\Admin\Desktop\Roblox Account Manager.exe"C:\Users\Admin\Desktop\Roblox Account Manager.exe" -restart2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\Temp\{4E54CFC3-3FCB-427F-A232-0A58072C2FB0}\.cr\vcredist.tmp"C:\Windows\Temp\{4E54CFC3-3FCB-427F-A232-0A58072C2FB0}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=724 -burn.filehandle.self=728 /q /norestart4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\.be\VC_redist.x86.exe"C:\Windows\Temp\{718BED17-050D-4260-AC1A-DCB9989DDC04}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{60798FCE-55A0-4BDC-8157-EAAD45992E18} {69BA9AD0-6C89-4ED1-A6CC-E6C3A61014C2} 19005⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=976 -burn.embedded BurnPipe.{5D9D1C76-8C91-4913-A118-F57B0FB1CE98} {76EA7A68-D4F1-4D59-9F93-653CFF7527D9} 26086⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=976 -burn.embedded BurnPipe.{5D9D1C76-8C91-4913-A118-F57B0FB1CE98} {76EA7A68-D4F1-4D59-9F93-653CFF7527D9} 26087⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2500 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{A757B420-1F0F-439E-BA7D-BC9714DC28FA} {5CBEF837-71B2-4625-AB96-5974CEB9B021} 25008⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4964
-
-
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:2924
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50f87d8b8397e5ffa225602a309b20345
SHA190f5f3e0c038701dbdfacb4147feeb942b253e39
SHA256bb6ef45cc8c10342e719266d03bd3744b3174c1aa93cfaf56f6d8947455987ed
SHA5122fa136235b40e3542fa0877fa9258f892320ec8b1223f19f2fa40c6f85b76682b8c78501896551d243dbc8b738f6ac36828c6e7255f2d32309757caa02d8aa28
-
Filesize
18KB
MD5dd6645ba521bbacfe31741b5e471d47d
SHA1f7be38ad2f6110524a07a786e26ece528ca0cee2
SHA256a83eb91f382702bb3740b349b72acbbe5477a93d3c1d96cb6f0824881456150b
SHA512aa7b25517769c1b07d2531ede080aa9a27f7e1b931492deefb3b8354f5cdbcf078543344216e9f8afbfd58ae2def7025a37d7a64dd38c81c6e86c3245351aae7
-
Filesize
20KB
MD5e10418398e9c984547205d968661bc17
SHA11970f3ce0a45d65e2afb9c30a26c31f29b225f4c
SHA25650501db6eaa1e79654c2b25306bd950c084b23f24aa339ce37670e7ab8d1dc39
SHA5122802e52ca462876bf0021138d8bf8fe20f95975181f4608df4fc519f0a78d50806bfb62196330b7660790a7b98ac735d5e4fbf75accb2ba1176a743b922d5e46
-
Filesize
19KB
MD5dddecfc0c580fd922505c391088a7007
SHA1bc8be35a38baa87e8f080ad439f4f54ce8288643
SHA25667666eed8df133e32e806d4e37c8b7ef30a19dd93a20f8a9a914c10bd62b52a6
SHA51259ed37af8b6c3fe06abc68cd34aa6e0710d72b3d26abf949409a405e7fee496e0c1fae368bdbcb7762b8fe7b7606107863386769685b64c91ef84c784d4b18e5
-
Filesize
2KB
MD5ec560eb94ef3fb57af28cebbbbf75bb7
SHA18b8e19ee8422ee5edf2348a89b441bba3f65a607
SHA256528ae5ae29d2059a15d5eddb88204d978614d1d5eba8ae64e57b0cb436b2c2fa
SHA512e34800325b8f7f70b2f500ecb256e6f338283dd8807ca6adcab8098bc3873f2225319e8d4b8cdd0c726858894f85c02f5de6a6bba39e0184c4dadc6be4aa4631
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
523B
MD5ca84214924fef45f0f682e968785c614
SHA15a468b474c04d4f8e533db1201b45438d6ad2f6d
SHA2567e421c90702b17a29b97cfcf73da0bf9868be6aa4c5e4844ee8efc24420594cc
SHA512b8d4263839a622d6bfc95b904eb94bd6ca005c891bc3af930d7d6d8a7ecfc60099fe32492a6d54e04ffb8eb087493aa454fb5d555ba79daacfe8a8f50601c8d0
-
Filesize
8KB
MD5fa061e5c4649fd6034da742573bd403f
SHA11c00becc2c29321615012de6b76584adce9010d4
SHA25698dcbfaf10f80759060f5750c03ca53c60b2d78d6a33c3b6b454add4ac17dd54
SHA5122fb5a8967c0db402221b52d14ea8e758fc1646d6dcd0876ce3824275367e3c3010e3d4523ee7ef35792176283c2675f6c6c0178f95bf470a334fbd5d88348934
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
116KB
MD505fee561f5d5d05836e940d616b144a5
SHA15f322c8dbfe74ae84adf142c7f9ee120355c3cef
SHA2563358d0420003fdb501f2a171117c70c3652ab5153f47798336d0e8601c6f420c
SHA512c1e5bd578773ed2a4efd56c585bb3369167a3c3e00a03ca44ece6779bb0007db29301c42f0b943f2f3b8fa868638fb9b70a5e49dcef29f3ddbf8c9f185b54487
-
Filesize
116KB
MD5a3e60837466c09a0c1bcf5c21f3b58bc
SHA1eefb7c8cb98a8031859587ba9c77dcef224cb318
SHA25662b69f7ef9d5c44a638a7a8e6bedd34f5e884d32b82827bbbb97bddec05a9741
SHA51253fcf9422cb041cdce12c5e7c9ef8a00ea27446e1f608b2296b0b4ddf8b93b540fd6dccd1bd71d5ce5560f0c6beebbd78560ffb56d675d16b24d84b7cf89e3e3
-
Filesize
1KB
MD5a02e8a8a790f0e0861e3b6b0dbe56062
SHA1a3e65805e5c78641cafebc1052906d7350da9d2e
SHA2567fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594
SHA512108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42
-
Filesize
2KB
MD555aabfbe6e26dfb37b485a471fd9115e
SHA1360afa444f6e9a2379ec4534e869fe6ec58db4b1
SHA25614629c35e4d987b6e75ba8933dd80bf173e2d84341009f6212b16f127deb8b2c
SHA512a8656059125a956d40824bf9fd1e163875cd1ae6b78ad367ca4fdb9b4dc16b7170dbd61870bdd330c733f9a01cc010dce4ef436a1d7782229193ae79b583e8d5
-
Filesize
2KB
MD5955427b38554df5321e20a6e1eb6cf8f
SHA1a778626d2782fa4f211ea0a3d5bc203cf687d3c8
SHA25680242a443e0e250c3d02ff8526a64b233df7743b494bead7e7b78465d8b10ece
SHA51285c05dac19b136431562311192fb73f90d2d5918b9df47a7679c25fd85093d15d671670fdb026d6ee8e2a4f958275d71d1f9a8dd271735678d0b50b28d056119
-
Filesize
13.3MB
MD5d38126688b5647bf209606d07a90c2e6
SHA1467bb2c862def52f2858e5158c96f7ac6d6dcab2
SHA256ed1967c2ac27d806806d121601b526f84e497ae1b99ed139c0c4c6b50147df4a
SHA5128a0991b993d5206450228454b4f83251cc311cc2b0dd105494928e03bf2e865de8ccf9676c8e7453164bb1805929a3a9616ea020524b77dbc0a6bbca0d222daf
-
Filesize
1014B
MD51d917eaf5dcc8e06dd032c33f3a3d36a
SHA11eacb4eced22393fd5140910d30070f2e054e2fe
SHA256787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f
SHA5123cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd
-
Filesize
314B
MD5f18fa783f4d27e35e54e54417334bfb4
SHA194511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071
-
Filesize
6KB
MD5d5e4966de947333592289d70916257a9
SHA15907df0fd07df6c33926906e94f4ed08d40be017
SHA256d726d47b772a70fabc777c8ed46655fe5200e672f01f11dd95c5f4994e0a71e0
SHA512c618054766bee664f0605a037f065c196c35495ee993b305f0bece4738ec9f7bd632dc8fb541bcf9d156f12e115455f31dd8db2a8cceb9d7d2f0d05d501831e9
-
Filesize
936B
MD5e4659ac08af3582a23f38bf6c562f841
SHA119cb4f014ba96285fa1798f008deabce632c7e76
SHA256e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA5125bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249
-
Filesize
4.2MB
MD55d4e071c9a20061978be79d7c7213068
SHA1c388cb6e43646845d2366bcfe275cfabe7707518
SHA256c260b8bfacd5be41c48c74e53de2a8fa389c3ec293846ddc7255abd9ff02261b
SHA512def6415512e5ed67a588c4d3b4c574c22a2431faf1df92cb080913e7bd6c2ecf73cd16371dc12500221d4aa43e9bbfdac3b78f5da6a1a1d5a5d156bed2ff7f32
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
669KB
MD538b9328b53a786141dc7d54992aa03bc
SHA1b3de0981128c8170b70e977a21c6c7e3e8437d8f
SHA25632e2651799071c5e6c51bdaf0df7823526b25b2f34c01f9472bb159044d62c11
SHA512b5ac7f0675feea295be0553520fd5341e5122ea1e33d2eaffa5d9f9170f5c97b30ea5db25774c00a69ecc48f018412bb1795e357aafc7565e242e5e4025527e2
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
828KB
MD5c15278501772ebaf95ab908b94a552f2
SHA1cf9c8ae523d9a6ed2797be072c9f659b9ed5dadb
SHA25617d7bcb6c05f6c422f1bfbf5db923fc7d1427ec578968b75403830e759853b07
SHA512f109a3af129b0025bd6dfb141d27e3d336145bc70c1fde590e44e4402d479680ca91ac0bc8cf8cd854e05a74c649719822218b2a1f58f75cbbaa9f03c9aeaf93
-
Filesize
5.0MB
MD5512cc3e31ba72999bd0be1ff2faf59df
SHA156210834f64afa1800def2bc26d421e78c056639
SHA25655b0b98e9222a6f43c644bbf6f642267535d08270dce52c09e0f31b98385ffb0
SHA5123c912488fdbd9b6f01e87a189f825b77c186d018df9ed27fe554644eb0b40fdeac8903f7ee99a77c740c75b27056fd7977e47810144714052539308d16a7df67
-
Filesize
200KB
MD54879fe953ed435ca08589645b8eec144
SHA1bc58d6f3ed69be01690d97c59dafda612cbc5f2b
SHA2560ddc3f10282fdb663ac92ce5930e46cf996a4b42b592b9911b4001d12d4178bc
SHA512222cb3f93b5d759c87077716f9cc95f152997e6c95a13aae8a4e789c274836ba41a03b6e08926135efdc8cd8413b47f02f34ddd4f6c7622ea98458b6e06d24ce
-
Filesize
200KB
MD5aebc9db05b27963bdd7dc5f3c7eca0a9
SHA131d6f6cabd5fbfb7c2899d481f18e18930dbfdfd
SHA256d9598b33dc795da4cbd520b790c45507cbce3976576e0e506b388c5f7ac3290c
SHA512564d945821d80e27fdffcfdafd79c72d498018067a74e85fd6ee595a6a09453ae0fb1df41b430f656001bafc1b0b89c5433bd5aae48c179daa7a8a8732090c63