Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/10/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
Roblox Account Manager.exe
Resource
win11-20241007-en
General
-
Target
Roblox Account Manager.exe
-
Size
5.4MB
-
MD5
334728f32a1144c893fdffc579a7709b
-
SHA1
97d2eb634d45841c1453749acb911ce1303196c0
-
SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
-
SHA512
5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
-
SSDEEP
98304:42bT1Qm7d9G4/Ml61KO9bjRxMLywnrmYa0kqXf0FJ7WLhrBzcgPgL6b:/Qm59RMowO9bjRmmYiYa0kSIJ7zgPE
Malware Config
Signatures
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1384 chrome.exe 3088 chrome.exe 5092 chrome.exe 2060 chrome.exe -
Executes dropped EXE 12 IoCs
pid Process 2380 vcredist.tmp 2996 vcredist.tmp 4164 VC_redist.x86.exe 2060 chrome.exe 2032 chrome.exe 1904 chrome.exe 3884 chrome.exe 1016 chrome.exe 1384 chrome.exe 3088 chrome.exe 5092 chrome.exe 1496 chrome.exe -
Loads dropped DLL 25 IoCs
pid Process 2996 vcredist.tmp 3312 VC_redist.x86.exe 2060 chrome.exe 2032 chrome.exe 2060 chrome.exe 1904 chrome.exe 3884 chrome.exe 1904 chrome.exe 3884 chrome.exe 1016 chrome.exe 3884 chrome.exe 3884 chrome.exe 3884 chrome.exe 1016 chrome.exe 1384 chrome.exe 1384 chrome.exe 3088 chrome.exe 3884 chrome.exe 3884 chrome.exe 3884 chrome.exe 3088 chrome.exe 5092 chrome.exe 5092 chrome.exe 1496 chrome.exe 1496 chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4373d0b5-4457-4a80-bad9-029de8df097b} = "\"C:\\ProgramData\\Package Cache\\{4373d0b5-4457-4a80-bad9-029de8df097b}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 raw.githubusercontent.com 20 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe -
Drops file in System32 directory 49 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\concrt140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe File created C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\SysWOW64\concrt140.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File created C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_1.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File created C:\Windows\SysWOW64\vcruntime140_threads.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfcm140u.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140u.dll msiexec.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{0DF1D9F9-6038-4641-AB6D-13DD654758A7} msiexec.exe File opened for modification C:\Windows\Installer\MSI55A.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{D7A66DA5-B103-45C1-A0A7-736C08E2F464} msiexec.exe File created C:\Windows\SystemTemp\~DF52DFE67ECB64F734.TMP msiexec.exe File opened for modification C:\Windows\Installer\e5bfbc4.msi msiexec.exe File created C:\Windows\SystemTemp\~DFE11B738BAC3873A2.TMP msiexec.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\Installer\e5bfbb2.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5bfbc4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFD48.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF792B39767D6C19A8.TMP msiexec.exe File created C:\Windows\Installer\e5bfbc3.msi msiexec.exe File created C:\Windows\SystemTemp\~DF4903524B847A2AD2.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI44F.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5bfbb2.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DF2D02AD30E88E0423.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF4DDB802C4D9410D6.TMP msiexec.exe File created C:\Windows\Installer\e5bfbd9.msi msiexec.exe File created C:\Windows\SystemTemp\~DF456B3BB13FB5F03A.TMP msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIFE82.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB4D256777A63F474.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Account Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Account Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\TypedURLs Roblox Account Manager.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133748557600429939" chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Language = "1033" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} VC_redist.x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\VC_Runtime_Additional msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Provider msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33816.0" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\VC_Runtime_Minimum msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33816" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Version = "237536280" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\PackageName = "vc_runtimeAdditional_x86.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\ = "{4373d0b5-4457-4a80-bad9-029de8df097b}" VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\PackageCode = "91507CEA530B99A40B0EFDE1E0E92A0B" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33816" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{D7A66DA5-B103-45C1-A0A7-736C08E2F464}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\9F9D1FD083061464BAD631DD5674857A msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle VC_redist.x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7A66DA5-B103-45C1-A0A7-736C08E2F464}v14.40.33816\\packages\\vcRuntimeMinimum_x86\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.40.33816" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{0DF1D9F9-6038-4641-AB6D-13DD654758A7}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\PackageCode = "74A59C9CB7128C440BC689986566ECC7" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 2060 chrome.exe 2060 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3080 Roblox Account Manager.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2060 chrome.exe 2060 chrome.exe 2060 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3080 Roblox Account Manager.exe Token: SeBackupPrivilege 1172 vssvc.exe Token: SeRestorePrivilege 1172 vssvc.exe Token: SeAuditPrivilege 1172 vssvc.exe Token: SeShutdownPrivilege 4164 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 4164 VC_redist.x86.exe Token: SeSecurityPrivilege 1700 msiexec.exe Token: SeCreateTokenPrivilege 4164 VC_redist.x86.exe Token: SeAssignPrimaryTokenPrivilege 4164 VC_redist.x86.exe Token: SeLockMemoryPrivilege 4164 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 4164 VC_redist.x86.exe Token: SeMachineAccountPrivilege 4164 VC_redist.x86.exe Token: SeTcbPrivilege 4164 VC_redist.x86.exe Token: SeSecurityPrivilege 4164 VC_redist.x86.exe Token: SeTakeOwnershipPrivilege 4164 VC_redist.x86.exe Token: SeLoadDriverPrivilege 4164 VC_redist.x86.exe Token: SeSystemProfilePrivilege 4164 VC_redist.x86.exe Token: SeSystemtimePrivilege 4164 VC_redist.x86.exe Token: SeProfSingleProcessPrivilege 4164 VC_redist.x86.exe Token: SeIncBasePriorityPrivilege 4164 VC_redist.x86.exe Token: SeCreatePagefilePrivilege 4164 VC_redist.x86.exe Token: SeCreatePermanentPrivilege 4164 VC_redist.x86.exe Token: SeBackupPrivilege 4164 VC_redist.x86.exe Token: SeRestorePrivilege 4164 VC_redist.x86.exe Token: SeShutdownPrivilege 4164 VC_redist.x86.exe Token: SeDebugPrivilege 4164 VC_redist.x86.exe Token: SeAuditPrivilege 4164 VC_redist.x86.exe Token: SeSystemEnvironmentPrivilege 4164 VC_redist.x86.exe Token: SeChangeNotifyPrivilege 4164 VC_redist.x86.exe Token: SeRemoteShutdownPrivilege 4164 VC_redist.x86.exe Token: SeUndockPrivilege 4164 VC_redist.x86.exe Token: SeSyncAgentPrivilege 4164 VC_redist.x86.exe Token: SeEnableDelegationPrivilege 4164 VC_redist.x86.exe Token: SeManageVolumePrivilege 4164 VC_redist.x86.exe Token: SeImpersonatePrivilege 4164 VC_redist.x86.exe Token: SeCreateGlobalPrivilege 4164 VC_redist.x86.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2060 chrome.exe 2060 chrome.exe 2060 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 3080 2952 Roblox Account Manager.exe 80 PID 2952 wrote to memory of 3080 2952 Roblox Account Manager.exe 80 PID 2952 wrote to memory of 3080 2952 Roblox Account Manager.exe 80 PID 3080 wrote to memory of 2380 3080 Roblox Account Manager.exe 81 PID 3080 wrote to memory of 2380 3080 Roblox Account Manager.exe 81 PID 3080 wrote to memory of 2380 3080 Roblox Account Manager.exe 81 PID 2380 wrote to memory of 2996 2380 vcredist.tmp 82 PID 2380 wrote to memory of 2996 2380 vcredist.tmp 82 PID 2380 wrote to memory of 2996 2380 vcredist.tmp 82 PID 2996 wrote to memory of 4164 2996 vcredist.tmp 83 PID 2996 wrote to memory of 4164 2996 vcredist.tmp 83 PID 2996 wrote to memory of 4164 2996 vcredist.tmp 83 PID 4164 wrote to memory of 564 4164 VC_redist.x86.exe 93 PID 4164 wrote to memory of 564 4164 VC_redist.x86.exe 93 PID 4164 wrote to memory of 564 4164 VC_redist.x86.exe 93 PID 564 wrote to memory of 3312 564 VC_redist.x86.exe 94 PID 564 wrote to memory of 3312 564 VC_redist.x86.exe 94 PID 564 wrote to memory of 3312 564 VC_redist.x86.exe 94 PID 3312 wrote to memory of 2932 3312 VC_redist.x86.exe 95 PID 3312 wrote to memory of 2932 3312 VC_redist.x86.exe 95 PID 3312 wrote to memory of 2932 3312 VC_redist.x86.exe 95 PID 3080 wrote to memory of 2060 3080 Roblox Account Manager.exe 99 PID 3080 wrote to memory of 2060 3080 Roblox Account Manager.exe 99 PID 2060 wrote to memory of 2032 2060 chrome.exe 100 PID 2060 wrote to memory of 2032 2060 chrome.exe 100 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 3884 2060 chrome.exe 104 PID 2060 wrote to memory of 1904 2060 chrome.exe 105 PID 2060 wrote to memory of 1904 2060 chrome.exe 105 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 PID 2060 wrote to memory of 1016 2060 chrome.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp"C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=728 -burn.filehandle.self=732 /q /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe"C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{986D2F78-1FAB-4F84-8FB1-73DA7CCD0560} {0CFA315C-177A-4EE2-B3EC-CE4E7B7C9A70} 29965⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=956 -burn.embedded BurnPipe.{9D1B8541-7542-4821-BA09-9F1E6D9C973D} {3869C70D-46FA-4CA9-8EC0-270263EDAC15} 41646⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=956 -burn.embedded BurnPipe.{9D1B8541-7542-4821-BA09-9F1E6D9C973D} {3869C70D-46FA-4CA9-8EC0-270263EDAC15} 41647⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{2BDA9C85-8DFD-4BC1-A704-40CA8180046B} {1B8BC8B9-94BA-4A4F-B8AC-6C0FDE340CEE} 33128⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= about:blank --disable-web-security --window-size="880,740" --window-position="200,-34" --remote-debugging-port=0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p"3⤵
- Uses browser remote debugging
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exeC:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Crashpad --annotation=plat=Win64 "--annotation=prod=Google Chrome for Testing" --annotation=ver=124.0.6367.201 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc28ffcc70,0x7ffc28ffcc7c,0x7ffc28ffcc884⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=gpu-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3884
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --start-stack-profiler --field-trial-handle=1968,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1952 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --field-trial-handle=2200,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --start-stack-profiler --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2772,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2788 /prefetch:14⤵
- Uses browser remote debugging
- Executes dropped EXE
- Loads dropped DLL
PID:3088
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2780,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2984 /prefetch:14⤵
- Uses browser remote debugging
- Executes dropped EXE
- Loads dropped DLL
PID:1384
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3768,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:14⤵
- Uses browser remote debugging
- Executes dropped EXE
- Loads dropped DLL
PID:5092
-
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --field-trial-handle=4900,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:4952
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD58f8840583b64d661d7847a637b537163
SHA12a566aa0c48fec936ad2e4a91d6721f2a5ad34c1
SHA25657aa21f0c0f549cbecec6c2ac291030144c85fc49abef5a0677cb618e6201d74
SHA5123ef6fee0bdc797a2d5de59e9d44dae55cfa86e91f07295566210373b813f8c858207ded78cf52045fa4e73781609788facb49476b4398e9ffdf56c7c5d638252
-
Filesize
18KB
MD525b23e0ffac3ec5e7f2ed739909946f3
SHA1933507bb39bd085ac5091ac60aae0e1c09c91d97
SHA2569666bfe23c5989d996c1bc66405d25e47bdfd789316331095137ec688074b495
SHA5127e23f50288eed99aff79348420f6baef427a36398b17cd7caa786b635fa2782ca6a119c191bfcda7282540bd617690117bf0d4089d2caeadd9c3c4e8c373ff77
-
Filesize
20KB
MD582f8099d52c8c0efee73db563a844627
SHA10afcf12fc0b96fd99966a49b782de2b66bc3df7a
SHA25656dcbefa2fb6bb662393b4dd69e6f0056600a3a5cbec5828ee05f3120e4ab13b
SHA5129726c7ab5e1a3fe85d1b04fddadd72c22a4aedd93584f85aa227986a026a9c42aff4c30a61ce7f84a0a2d7de0bec0226b4face2f189a5821b9d89c31031d67d0
-
Filesize
19KB
MD5e7e932a2ed860ce5f7bc406aa19367bb
SHA16064240c4d0a8cb9a3ea71786e3f7b1fe796fab8
SHA256406e4e3d1cf3fee5e8397ace243e0de552353b56a7c938dc09ff5eb99cf45025
SHA5122a0d95bd126d70c6cbf5076ff0f030739c711ccd7d594330db1083de33858cd4b3424d9993b410909b17357c091a368516dca71b41d273317cd32f866aa20624
-
Filesize
1KB
MD572c442c0ee7dde7b3455bb315289bcf2
SHA1d33367411ce01348f531e098495885b9d2ea110b
SHA256180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41
SHA512b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\D3DCompiler_47.dll
Filesize4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
Filesize
2.5MB
MD5f26dfce9583f0d7d41b31ee11e56be43
SHA15718e9ea9c5ec6888a3d5eae9c090b0880414b0a
SHA256613536f294de53d1e9bb53a31269300fef4427f5e461ff6c7a1de3fa88c7667c
SHA51288447cf2767667a2d470b62b2f2be79483343003e40e02deeafc20ea27d63b66cd336ceede04f850edb920009672682e32290050b18daf9c575bd020d7bd4966
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_100_percent.pak
Filesize665KB
MD5f796340aed680b64c37657912c63b050
SHA18fccd026e7e88c733cbd37b495e9e0afff0b24be
SHA256329113e1ab3c6ac34d8375fd0a66e6ba12c1c49675101d10e231316b5a14c8c2
SHA51298a8d6858b23bebdee8c7d13d5534aa568bffd2e9c030aec2263778ac2bdd7dea5c7e38b942352089ec4123d789eeaa2376623fba652e119db61cc006d3ace56
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_200_percent.pak
Filesize1.0MB
MD5e7f0c4a2f06aa4c40206cdc1bfb9166e
SHA114679473561d6f3d710a2514620e2f97650e5791
SHA2563cd793c813d79579e5dafb3b63204e2ccb525f6b27a6dc25525c9fafabce4d29
SHA512fcca36df17760212654f3d08a0265fbce42b51a3ca13e70012dd723fd6ea084775036744fe32d0439fcf496c2fb2d5a733fbb87bdd3f318a64bb4611c7ff5f58
-
Filesize
1.2MB
MD5561916711c707fe011411fd3d2cf71a8
SHA1f7780da112a6abb515e7a9883810cf82a634674a
SHA2560d2ccf801ceabba978a77238e1b79afc9a66983a11c07e011f876c063a71ffdb
SHA51229b11fa1ffff586df4bae7a141a5e69500e327b54aa19efc32bd5bdd2f9652bbb641bc7bdc3116c95ca27022022894da5f9c94c987ce6c9793fce93f668b9c5a
-
Filesize
20.9MB
MD56caa5cb29ca313e5facf1ecb9bf1bb0e
SHA11c57de100aaecdfd5d57305a33bc15bee78822be
SHA25681b7a214c95ca2462addcc6061604fc69c4393f1fc2b4457e015f38cb7d54093
SHA512dfef239eab517de44435a61d199136e1a44a450ad2ecbfe4d542b4be57dcbb2948a6c553e2e56920628e4e7eae6db3f2a7aeefca6e3854563838ef2ac2deaa52
-
Filesize
1.4MB
MD530da04b06e0abec33fecc55db1aa9b95
SHA1de711585acfe49c510b500328803d3a411a4e515
SHA256a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68
SHA51267790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08
-
Filesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
Filesize
460KB
MD506ed270c198a3d563ee931ac6f825683
SHA13c34e2bcf9099413a176085a3e1cade95035d3d2
SHA25689c3cf5576b06b8114450f55f16f5fa0c2197db45a7ef0e57bc0eda872dcd6f5
SHA512e865bae51bc2c2687049919a5581339a70f66beb9eb62488830be06ec1892f8bb11bc5728f9c7665469dae7333bfa110312696d954f19d0c86aad8277453a713
-
Filesize
7.6MB
MD5acd281e2a183ef45f130663118d20897
SHA1dcab723cc20477a40d99a62e6bbfb75fa470c47f
SHA2566cebea494ff17a5ec8c54b7fd5e13834eae556178ac42e7eab545263646aa080
SHA512a59c491002224e86b4598104927b4c10107bf964ea7ad192f9ac6dca8a9a5b39d0e37c888c6d2e36234eb0b48c60a55da36852d377f4a506ca41274f834703ee
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\locales\en-US.pak
Filesize394KB
MD5a8af211968e7d1fbc577fc55e1859f6d
SHA11fbf54c0be76318b4c4ede2daea08191221df890
SHA25692efd174fffe9e958e20edf1acdb9394ce81ae38b9d1a04203cb35585ecbb5b7
SHA51211c2d88467135e8d39c06dffe27be53c471d0c917b1767050d6c36dd7701ecac22680313203efc312ac6ffe867da658cc38ccb9ba19962e78a5accc6e5df0e21
-
Filesize
8.0MB
MD5d092e6572493590a6cb2498e029509dc
SHA1f3564c4fec2e855486d63a90e34b1abb59e40ecb
SHA256103ba11595d71025abc07c1f32e9f0fa11d9a191afeba6ee950154c5b358ac0b
SHA512e8894be07117dd7fa624a8d48dafa9371623bad475bc2523eaa5d0da1aa026deecb03062678a35a79c9798d5215a008ed812548ae2107d22bbe226940499d7ff
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\v8_context_snapshot.bin
Filesize641KB
MD50753b1e35ebc257c8511b6f219fac1ec
SHA17acd65cbcc253130b0127a0a189601671e9fc1d1
SHA256ddd3a5acffc4e8d6b9211c84733debdf394c3cb12d702598e1a5e56b13c89c61
SHA512b9dfac660d834aacb30e6e1e272c4f0669659514f48aadc8b5542dd42ca1bd5aca4bbd00941c2ccacccc9ca068f133623dedc9994f5ccbbf1ac36bbdef99aee2
-
C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\vk_swiftshader.dll
Filesize5.0MB
MD550b6baa8afafbf849557eef9a6c600af
SHA18f050d6b8a89be5d27209ae26c90874757a8eb5f
SHA256b1bdf61233010357f8bf5d5837719229b527581ac2ebcd5c9662f04471f2cc9e
SHA51260866cc0fd0aa65febdf1da751701bcaf3cd90edf3cca3a8b3058c1aed26b56ba74332be697d22b30214446234477030a86605cc71b85940ea8adc6c169e7f35
-
Filesize
1014B
MD51d917eaf5dcc8e06dd032c33f3a3d36a
SHA11eacb4eced22393fd5140910d30070f2e054e2fe
SHA256787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f
SHA5123cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd
-
Filesize
314B
MD5f18fa783f4d27e35e54e54417334bfb4
SHA194511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071
-
Filesize
6KB
MD50a86fa27d09e26491dbbb4fe27f4b410
SHA163e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA2562b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d
-
Filesize
2KB
MD542821b66c54d49747373573cb09c6e3c
SHA143ca2224522269941b4b9dcae1ac41141e77c631
SHA2560cd83cb0a9268955e043b742f1f137e6ad12f25bbf63b67ef9ca6dfe39087c48
SHA5126b22d60b64b3034862cfd7082dbc8f7cc9ef759afab3319efcf0eef089d8e62e6d108d9b27edbfe853a4ddf4b2c6c67365478a9deda17292effcbc9e2ca38225
-
Filesize
3KB
MD50f6e5cfa17d2a486075cccfc87dc8fb3
SHA12c9086958a36e18e175ae9e2628daa67471ecbc3
SHA25648bc317616441e4ffe8933f57160184d4542f98f5ff8fa1b882f0240365f205e
SHA5126e746834039c9e178c58e23db0c327675f626751e71e1c588fb4a8382eec3b5b0a299055e245c3ba58ec72b6c4cecad39c5f44f889df0b91d718383708fd62fa
-
Filesize
936B
MD5e4659ac08af3582a23f38bf6c562f841
SHA119cb4f014ba96285fa1798f008deabce632c7e76
SHA256e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA5125bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249
-
Filesize
13.3MB
MD5d38126688b5647bf209606d07a90c2e6
SHA1467bb2c862def52f2858e5158c96f7ac6d6dcab2
SHA256ed1967c2ac27d806806d121601b526f84e497ae1b99ed139c0c4c6b50147df4a
SHA5128a0991b993d5206450228454b4f83251cc311cc2b0dd105494928e03bf2e865de8ccf9676c8e7453164bb1805929a3a9616ea020524b77dbc0a6bbca0d222daf
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
1KB
MD5e57ceec1d28a75d24944336631c4e79c
SHA138fc7c53958ee2ab27cd708a5ca76039979b8940
SHA256a9eb49f4f0bc31691080b3caafb498c615fa50d38b88f0c008e379c6f1725ff7
SHA5123efa61dbeff013a9b7238993b989cbe294c4c95438c8bd08166cb818eddc1ecf23a80e3d9e0130e3104cb3997b494d360b7c65d1d3f1cc8004b8eb7f552db759
-
C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\Code Cache\js\index-dir\the-real-index~RFe5c40c9.TMP
Filesize48B
MD5bdd018bd76e9fc290dd8d2fa044c5b9b
SHA11249c67739d30f9638b8f9484c4ffa4c6f206656
SHA2566e3099423316b7e0d430e701cb977e8e7a8e01034b5f930bcedc4179baf5ca2e
SHA5127a875fbd20ceaaee18002ec97e81a56a1ecfc09d05bcc405c41a770f7055877091afa61c53394587a4d4ef9a171f1437daa6987862e07ace4d855ccbb2418464
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
3KB
MD5ea2023199df874e425ce4942150106a7
SHA1ca0fe556bc4b882c4ff437cae6ff46959a8975d1
SHA25629fcb76f96b47edf73a7cc4d6132630e05efa822ade14b350e6bcb5a3d86a07e
SHA512c8f597b5039df15072bb3439438ee91d3087554716c137f6e11de38618fc163c714f2d4aac5ed70d88dc165809b136443424b829b642809a36a1e6e50504cb0a
-
Filesize
3KB
MD5214e699b3b09a7ce5b58f5c2ba1dc0e1
SHA14f55a0c082018255a4dec4afb1c8c872a39d0d7b
SHA2561d592153586e0fad91857e1336d41b5c45bae07eb668b998ba9d8d3f22695bb1
SHA5120f9f52c80e0b349429132db00198305753f65330373bb7e0e057732d40281e3fd6984b3a89cda09a45d18f8448db321657c52e40656f91bc5c92c864c743e895
-
Filesize
839B
MD58ea21402e20e49583c1f94d1dc0ba156
SHA1c9dfbc8d7b9c77a02707b0a196f503dca7e8f827
SHA2567c5a37f3442a67aaecf968948f810b1d1b2cd58877f9015313966c9b84e50edc
SHA51237763b1610175e6bab8215a18f611a9271864d38a19aeaea5283a3eccf827d0c49acc6e426a724316a43d572dd5a6ef2432ba8bf41a8b7498228519c2e438a25
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
828KB
MD5c15278501772ebaf95ab908b94a552f2
SHA1cf9c8ae523d9a6ed2797be072c9f659b9ed5dadb
SHA25617d7bcb6c05f6c422f1bfbf5db923fc7d1427ec578968b75403830e759853b07
SHA512f109a3af129b0025bd6dfb141d27e3d336145bc70c1fde590e44e4402d479680ca91ac0bc8cf8cd854e05a74c649719822218b2a1f58f75cbbaa9f03c9aeaf93
-
Filesize
5.0MB
MD5512cc3e31ba72999bd0be1ff2faf59df
SHA156210834f64afa1800def2bc26d421e78c056639
SHA25655b0b98e9222a6f43c644bbf6f642267535d08270dce52c09e0f31b98385ffb0
SHA5123c912488fdbd9b6f01e87a189f825b77c186d018df9ed27fe554644eb0b40fdeac8903f7ee99a77c740c75b27056fd7977e47810144714052539308d16a7df67
-
Filesize
200KB
MD54879fe953ed435ca08589645b8eec144
SHA1bc58d6f3ed69be01690d97c59dafda612cbc5f2b
SHA2560ddc3f10282fdb663ac92ce5930e46cf996a4b42b592b9911b4001d12d4178bc
SHA512222cb3f93b5d759c87077716f9cc95f152997e6c95a13aae8a4e789c274836ba41a03b6e08926135efdc8cd8413b47f02f34ddd4f6c7622ea98458b6e06d24ce
-
Filesize
200KB
MD5aebc9db05b27963bdd7dc5f3c7eca0a9
SHA131d6f6cabd5fbfb7c2899d481f18e18930dbfdfd
SHA256d9598b33dc795da4cbd520b790c45507cbce3976576e0e506b388c5f7ac3290c
SHA512564d945821d80e27fdffcfdafd79c72d498018067a74e85fd6ee595a6a09453ae0fb1df41b430f656001bafc1b0b89c5433bd5aae48c179daa7a8a8732090c63
-
Filesize
669KB
MD538b9328b53a786141dc7d54992aa03bc
SHA1b3de0981128c8170b70e977a21c6c7e3e8437d8f
SHA25632e2651799071c5e6c51bdaf0df7823526b25b2f34c01f9472bb159044d62c11
SHA512b5ac7f0675feea295be0553520fd5341e5122ea1e33d2eaffa5d9f9170f5c97b30ea5db25774c00a69ecc48f018412bb1795e357aafc7565e242e5e4025527e2
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2