Malware Analysis Report

2025-06-16 00:54

Sample ID 241031-qzc1gaxpb1
Target Roblox Account Manager.exe
SHA256 be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
Tags
credential_access discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

Threat Level: Likely malicious

The file Roblox Account Manager.exe was found to be: Likely malicious.

Malicious Activity Summary

credential_access discovery persistence stealer

Uses browser remote debugging

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Adds Run key to start application

Checks system information in the registry

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 13:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 13:41

Reported

2024-10-31 13:43

Platform

win11-20241007-en

Max time kernel

91s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4373d0b5-4457-4a80-bad9-029de8df097b} = "\"C:\\ProgramData\\Package Cache\\{4373d0b5-4457-4a80-bad9-029de8df097b}\\VC_redist.x86.exe\" /burn.runonce" C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140_threads.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{0DF1D9F9-6038-4641-AB6D-13DD654758A7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI55A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{D7A66DA5-B103-45C1-A0A7-736C08E2F464} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF52DFE67ECB64F734.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5bfbc4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFE11B738BAC3873A2.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
File created C:\Windows\Installer\e5bfbb2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5bfbc4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFD48.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF792B39767D6C19A8.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5bfbc3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4903524B847A2AD2.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI44F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5bfbb2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2D02AD30E88E0423.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4DDB802C4D9410D6.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5bfbd9.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF456B3BB13FB5F03A.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFE82.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFB4D256777A63F474.TMP C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vcredist.tmp N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133748557600429939" C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\VC_Runtime_Additional C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Provider C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33816.0" C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33816" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Version = "237536280" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\PackageName = "vc_runtimeAdditional_x86.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\ = "{4373d0b5-4457-4a80-bad9-029de8df097b}" C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\PackageCode = "91507CEA530B99A40B0EFDE1E0E92A0B" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33816" C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{D7A66DA5-B103-45C1-A0A7-736C08E2F464}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\9F9D1FD083061464BAD631DD5674857A C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7A66DA5-B103-45C1-A0A7-736C08E2F464}v14.40.33816\\packages\\vcRuntimeMinimum_x86\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Provider C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.40.33816" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{0DF1D9F9-6038-4641-AB6D-13DD654758A7}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\PackageCode = "74A59C9CB7128C440BC689986566ECC7" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2952 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2952 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 3080 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 3080 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 3080 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 2380 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp
PID 2380 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp
PID 2380 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp
PID 2996 wrote to memory of 4164 N/A C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe
PID 2996 wrote to memory of 4164 N/A C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe
PID 2996 wrote to memory of 4164 N/A C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe
PID 4164 wrote to memory of 564 N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4164 wrote to memory of 564 N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4164 wrote to memory of 564 N/A C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 564 wrote to memory of 3312 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 564 wrote to memory of 3312 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 564 wrote to memory of 3312 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3312 wrote to memory of 2932 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3312 wrote to memory of 2932 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3312 wrote to memory of 2932 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3080 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 3080 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 2060 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart

C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart

C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp

"C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=728 -burn.filehandle.self=732 /q /norestart

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe

"C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{986D2F78-1FAB-4F84-8FB1-73DA7CCD0560} {0CFA315C-177A-4EE2-B3EC-CE4E7B7C9A70} 2996

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=956 -burn.embedded BurnPipe.{9D1B8541-7542-4821-BA09-9F1E6D9C973D} {3869C70D-46FA-4CA9-8EC0-270263EDAC15} 4164

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=956 -burn.embedded BurnPipe.{9D1B8541-7542-4821-BA09-9F1E6D9C973D} {3869C70D-46FA-4CA9-8EC0-270263EDAC15} 4164

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{2BDA9C85-8DFD-4BC1-A704-40CA8180046B} {1B8BC8B9-94BA-4A4F-B8AC-6C0FDE340CEE} 3312

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= about:blank --disable-web-security --window-size="880,740" --window-position="200,-34" --remote-debugging-port=0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p"

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Crashpad --annotation=plat=Win64 "--annotation=prod=Google Chrome for Testing" --annotation=ver=124.0.6367.201 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc28ffcc70,0x7ffc28ffcc7c,0x7ffc28ffcc88

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=gpu-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:2

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --start-stack-profiler --field-trial-handle=1968,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1952 /prefetch:3

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --field-trial-handle=2200,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:8

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --start-stack-profiler --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2772,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2788 /prefetch:1

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2780,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2984 /prefetch:1

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3768,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:1

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p" --no-appcompat-clear --field-trial-handle=4900,i,13466541644589204222,8935004936565357921,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
FR 2.20.90.140:443 aka.ms tcp
US 199.232.210.172:443 download.visualstudio.microsoft.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 128.116.119.4:443 clientsettings.roblox.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
GB 142.250.200.27:443 storage.googleapis.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
GB 142.250.200.27:443 storage.googleapis.com tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 8.8.8.8:53 roblox.com udp
US 8.8.8.8:53 roblox.com udp
GB 128.116.119.3:443 roblox.com tcp
GB 128.116.119.3:443 roblox.com tcp
US 8.8.8.8:53 www.roblox.com udp
US 8.8.8.8:53 www.roblox.com udp
GB 128.116.119.4:443 www.roblox.com tcp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
GB 2.18.190.78:443 static.rbxcdn.com tcp
GB 2.18.190.73:443 images.rbxcdn.com tcp
GB 2.19.252.155:443 js.rbxcdn.com tcp
GB 2.19.252.155:443 js.rbxcdn.com tcp
GB 2.19.252.155:443 js.rbxcdn.com tcp
GB 2.19.252.155:443 js.rbxcdn.com tcp
GB 2.19.252.155:443 js.rbxcdn.com tcp
GB 2.19.252.155:443 js.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
US 8.8.8.8:53 apis.rbxcdn.com udp
US 8.8.8.8:53 apis.rbxcdn.com udp
GB 2.22.144.39:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 auth.roblox.com udp
US 8.8.8.8:53 auth.roblox.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
GB 142.250.200.10:443 content-autofill.googleapis.com tcp
N/A 127.0.0.1:50333 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp

Files

memory/2952-0-0x000000007509E000-0x000000007509F000-memory.dmp

memory/2952-1-0x0000000000910000-0x0000000000E7C000-memory.dmp

memory/2952-2-0x0000000005F20000-0x00000000064C6000-memory.dmp

memory/2952-3-0x0000000005910000-0x0000000005956000-memory.dmp

memory/2952-4-0x0000000075090000-0x0000000075841000-memory.dmp

memory/2952-5-0x0000000005A40000-0x0000000005AD2000-memory.dmp

memory/2952-6-0x00000000059A0000-0x00000000059C6000-memory.dmp

memory/2952-7-0x00000000059E0000-0x00000000059FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

MD5 0a86fa27d09e26491dbbb4fe27f4b410
SHA1 63e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA256 2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512 fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

MD5 72c442c0ee7dde7b3455bb315289bcf2
SHA1 d33367411ce01348f531e098495885b9d2ea110b
SHA256 180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41
SHA512 b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018

memory/3080-14-0x0000000075090000-0x0000000075841000-memory.dmp

memory/2952-15-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-16-0x0000000075090000-0x0000000075841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\log4.config

MD5 e4659ac08af3582a23f38bf6c562f841
SHA1 19cb4f014ba96285fa1798f008deabce632c7e76
SHA256 e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA512 5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

memory/3080-19-0x0000000005E90000-0x0000000005F04000-memory.dmp

memory/3080-20-0x0000000005F30000-0x0000000005F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

MD5 f18fa783f4d27e35e54e54417334bfb4
SHA1 94511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256 563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512 602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

memory/3080-22-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-23-0x000000000A470000-0x000000000A4AA000-memory.dmp

memory/3080-24-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-25-0x000000000A580000-0x000000000A58A000-memory.dmp

memory/3080-26-0x000000000AC00000-0x000000000ACA0000-memory.dmp

memory/3080-31-0x000000000B610000-0x000000000B668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

MD5 1d917eaf5dcc8e06dd032c33f3a3d36a
SHA1 1eacb4eced22393fd5140910d30070f2e054e2fe
SHA256 787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f
SHA512 3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

memory/3080-33-0x000000000C980000-0x000000000CA32000-memory.dmp

memory/3080-34-0x000000000CB70000-0x000000000CB92000-memory.dmp

memory/3080-35-0x000000000CBA0000-0x000000000CC94000-memory.dmp

memory/3080-36-0x000000000CC90000-0x000000000CCAA000-memory.dmp

memory/3080-37-0x00000000049F0000-0x00000000049F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

MD5 d38126688b5647bf209606d07a90c2e6
SHA1 467bb2c862def52f2858e5158c96f7ac6d6dcab2
SHA256 ed1967c2ac27d806806d121601b526f84e497ae1b99ed139c0c4c6b50147df4a
SHA512 8a0991b993d5206450228454b4f83251cc311cc2b0dd105494928e03bf2e865de8ccf9676c8e7453164bb1805929a3a9616ea020524b77dbc0a6bbca0d222daf

C:\Windows\Temp\{30AA2097-F171-401B-A02A-C33ADA426E24}\.cr\vcredist.tmp

MD5 38b9328b53a786141dc7d54992aa03bc
SHA1 b3de0981128c8170b70e977a21c6c7e3e8437d8f
SHA256 32e2651799071c5e6c51bdaf0df7823526b25b2f34c01f9472bb159044d62c11
SHA512 b5ac7f0675feea295be0553520fd5341e5122ea1e33d2eaffa5d9f9170f5c97b30ea5db25774c00a69ecc48f018412bb1795e357aafc7565e242e5e4025527e2

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.ba\wixstdba.dll

MD5 f68f43f809840328f4e993a54b0d5e62
SHA1 01da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256 e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512 a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/3080-100-0x000000000C900000-0x000000000C950000-memory.dmp

memory/3080-101-0x0000000004A60000-0x0000000004A68000-memory.dmp

memory/3080-102-0x000000000E7C0000-0x000000000EB17000-memory.dmp

memory/3080-104-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-105-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-106-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-107-0x0000000075090000-0x0000000075841000-memory.dmp

memory/3080-109-0x000000000B6C0000-0x000000000B6CA000-memory.dmp

memory/3080-110-0x000000000B6F0000-0x000000000B702000-memory.dmp

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\vcRuntimeMinimum_x86

MD5 aebc9db05b27963bdd7dc5f3c7eca0a9
SHA1 31d6f6cabd5fbfb7c2899d481f18e18930dbfdfd
SHA256 d9598b33dc795da4cbd520b790c45507cbce3976576e0e506b388c5f7ac3290c
SHA512 564d945821d80e27fdffcfdafd79c72d498018067a74e85fd6ee595a6a09453ae0fb1df41b430f656001bafc1b0b89c5433bd5aae48c179daa7a8a8732090c63

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\cab54A5CABBE7274D8A22EB58060AAB7623

MD5 c15278501772ebaf95ab908b94a552f2
SHA1 cf9c8ae523d9a6ed2797be072c9f659b9ed5dadb
SHA256 17d7bcb6c05f6c422f1bfbf5db923fc7d1427ec578968b75403830e759853b07
SHA512 f109a3af129b0025bd6dfb141d27e3d336145bc70c1fde590e44e4402d479680ca91ac0bc8cf8cd854e05a74c649719822218b2a1f58f75cbbaa9f03c9aeaf93

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\vcRuntimeAdditional_x86

MD5 4879fe953ed435ca08589645b8eec144
SHA1 bc58d6f3ed69be01690d97c59dafda612cbc5f2b
SHA256 0ddc3f10282fdb663ac92ce5930e46cf996a4b42b592b9911b4001d12d4178bc
SHA512 222cb3f93b5d759c87077716f9cc95f152997e6c95a13aae8a4e789c274836ba41a03b6e08926135efdc8cd8413b47f02f34ddd4f6c7622ea98458b6e06d24ce

C:\Windows\Temp\{29E06F7C-1510-4D04-A3FD-A29DC0766AA8}\cabB3E1576D1FEFBB979E13B1A5379E0B16

MD5 512cc3e31ba72999bd0be1ff2faf59df
SHA1 56210834f64afa1800def2bc26d421e78c056639
SHA256 55b0b98e9222a6f43c644bbf6f642267535d08270dce52c09e0f31b98385ffb0
SHA512 3c912488fdbd9b6f01e87a189f825b77c186d018df9ed27fe554644eb0b40fdeac8903f7ee99a77c740c75b27056fd7977e47810144714052539308d16a7df67

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241031134205_000_vcRuntimeMinimum_x86.log

MD5 42821b66c54d49747373573cb09c6e3c
SHA1 43ca2224522269941b4b9dcae1ac41141e77c631
SHA256 0cd83cb0a9268955e043b742f1f137e6ad12f25bbf63b67ef9ca6dfe39087c48
SHA512 6b22d60b64b3034862cfd7082dbc8f7cc9ef759afab3319efcf0eef089d8e62e6d108d9b27edbfe853a4ddf4b2c6c67365478a9deda17292effcbc9e2ca38225

C:\Config.Msi\e5bfbbc.rbs

MD5 25b23e0ffac3ec5e7f2ed739909946f3
SHA1 933507bb39bd085ac5091ac60aae0e1c09c91d97
SHA256 9666bfe23c5989d996c1bc66405d25e47bdfd789316331095137ec688074b495
SHA512 7e23f50288eed99aff79348420f6baef427a36398b17cd7caa786b635fa2782ca6a119c191bfcda7282540bd617690117bf0d4089d2caeadd9c3c4e8c373ff77

C:\Config.Msi\e5bfbb7.rbs

MD5 8f8840583b64d661d7847a637b537163
SHA1 2a566aa0c48fec936ad2e4a91d6721f2a5ad34c1
SHA256 57aa21f0c0f549cbecec6c2ac291030144c85fc49abef5a0677cb618e6201d74
SHA512 3ef6fee0bdc797a2d5de59e9d44dae55cfa86e91f07295566210373b813f8c858207ded78cf52045fa4e73781609788facb49476b4398e9ffdf56c7c5d638252

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241031134205_001_vcRuntimeAdditional_x86.log

MD5 0f6e5cfa17d2a486075cccfc87dc8fb3
SHA1 2c9086958a36e18e175ae9e2628daa67471ecbc3
SHA256 48bc317616441e4ffe8933f57160184d4542f98f5ff8fa1b882f0240365f205e
SHA512 6e746834039c9e178c58e23db0c327675f626751e71e1c588fb4a8382eec3b5b0a299055e245c3ba58ec72b6c4cecad39c5f44f889df0b91d718383708fd62fa

C:\Config.Msi\e5bfbd8.rbs

MD5 e7e932a2ed860ce5f7bc406aa19367bb
SHA1 6064240c4d0a8cb9a3ea71786e3f7b1fe796fab8
SHA256 406e4e3d1cf3fee5e8397ace243e0de552353b56a7c938dc09ff5eb99cf45025
SHA512 2a0d95bd126d70c6cbf5076ff0f030739c711ccd7d594330db1083de33858cd4b3424d9993b410909b17357c091a368516dca71b41d273317cd32f866aa20624

C:\Config.Msi\e5bfbc9.rbs

MD5 82f8099d52c8c0efee73db563a844627
SHA1 0afcf12fc0b96fd99966a49b782de2b66bc3df7a
SHA256 56dcbefa2fb6bb662393b4dd69e6f0056600a3a5cbec5828ee05f3120e4ab13b
SHA512 9726c7ab5e1a3fe85d1b04fddadd72c22a4aedd93584f85aa227986a026a9c42aff4c30a61ce7f84a0a2d7de0bec0226b4face2f189a5821b9d89c31031d67d0

C:\Windows\Temp\{E54616AA-AC52-4E07-9C4A-8733CF9274F6}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/2932-420-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3312-457-0x0000000000400000-0x0000000000477000-memory.dmp

memory/564-458-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3080-522-0x0000000005280000-0x000000000528A000-memory.dmp

memory/3080-523-0x00000000053D0000-0x00000000053DA000-memory.dmp

memory/3080-524-0x000000000B680000-0x000000000B694000-memory.dmp

memory/3080-525-0x000000000B710000-0x000000000B74E000-memory.dmp

memory/3080-526-0x000000000B670000-0x000000000B680000-memory.dmp

memory/3080-527-0x000000000B6D0000-0x000000000B6E4000-memory.dmp

memory/3080-528-0x000000000B750000-0x000000000B758000-memory.dmp

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

MD5 f26dfce9583f0d7d41b31ee11e56be43
SHA1 5718e9ea9c5ec6888a3d5eae9c090b0880414b0a
SHA256 613536f294de53d1e9bb53a31269300fef4427f5e461ff6c7a1de3fa88c7667c
SHA512 88447cf2767667a2d470b62b2f2be79483343003e40e02deeafc20ea27d63b66cd336ceede04f850edb920009672682e32290050b18daf9c575bd020d7bd4966

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_elf.dll

MD5 561916711c707fe011411fd3d2cf71a8
SHA1 f7780da112a6abb515e7a9883810cf82a634674a
SHA256 0d2ccf801ceabba978a77238e1b79afc9a66983a11c07e011f876c063a71ffdb
SHA512 29b11fa1ffff586df4bae7a141a5e69500e327b54aa19efc32bd5bdd2f9652bbb641bc7bdc3116c95ca27022022894da5f9c94c987ce6c9793fce93f668b9c5a

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\locales\en-US.pak

MD5 a8af211968e7d1fbc577fc55e1859f6d
SHA1 1fbf54c0be76318b4c4ede2daea08191221df890
SHA256 92efd174fffe9e958e20edf1acdb9394ce81ae38b9d1a04203cb35585ecbb5b7
SHA512 11c2d88467135e8d39c06dffe27be53c471d0c917b1767050d6c36dd7701ecac22680313203efc312ac6ffe867da658cc38ccb9ba19962e78a5accc6e5df0e21

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\resources.pak

MD5 d092e6572493590a6cb2498e029509dc
SHA1 f3564c4fec2e855486d63a90e34b1abb59e40ecb
SHA256 103ba11595d71025abc07c1f32e9f0fa11d9a191afeba6ee950154c5b358ac0b
SHA512 e8894be07117dd7fa624a8d48dafa9371623bad475bc2523eaa5d0da1aa026deecb03062678a35a79c9798d5215a008ed812548ae2107d22bbe226940499d7ff

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_200_percent.pak

MD5 e7f0c4a2f06aa4c40206cdc1bfb9166e
SHA1 14679473561d6f3d710a2514620e2f97650e5791
SHA256 3cd793c813d79579e5dafb3b63204e2ccb525f6b27a6dc25525c9fafabce4d29
SHA512 fcca36df17760212654f3d08a0265fbce42b51a3ca13e70012dd723fd6ea084775036744fe32d0439fcf496c2fb2d5a733fbb87bdd3f318a64bb4611c7ff5f58

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_100_percent.pak

MD5 f796340aed680b64c37657912c63b050
SHA1 8fccd026e7e88c733cbd37b495e9e0afff0b24be
SHA256 329113e1ab3c6ac34d8375fd0a66e6ba12c1c49675101d10e231316b5a14c8c2
SHA512 98a8d6858b23bebdee8c7d13d5534aa568bffd2e9c030aec2263778ac2bdd7dea5c7e38b942352089ec4123d789eeaa2376623fba652e119db61cc006d3ace56

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\libEGL.dll

MD5 06ed270c198a3d563ee931ac6f825683
SHA1 3c34e2bcf9099413a176085a3e1cade95035d3d2
SHA256 89c3cf5576b06b8114450f55f16f5fa0c2197db45a7ef0e57bc0eda872dcd6f5
SHA512 e865bae51bc2c2687049919a5581339a70f66beb9eb62488830be06ec1892f8bb11bc5728f9c7665469dae7333bfa110312696d954f19d0c86aad8277453a713

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\dxcompiler.dll

MD5 6caa5cb29ca313e5facf1ecb9bf1bb0e
SHA1 1c57de100aaecdfd5d57305a33bc15bee78822be
SHA256 81b7a214c95ca2462addcc6061604fc69c4393f1fc2b4457e015f38cb7d54093
SHA512 dfef239eab517de44435a61d199136e1a44a450ad2ecbfe4d542b4be57dcbb2948a6c553e2e56920628e4e7eae6db3f2a7aeefca6e3854563838ef2ac2deaa52

memory/3080-604-0x000000000B580000-0x000000000B58A000-memory.dmp

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\dxil.dll

MD5 30da04b06e0abec33fecc55db1aa9b95
SHA1 de711585acfe49c510b500328803d3a411a4e515
SHA256 a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68
SHA512 67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\Extension Rules\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\shared_proto_db\metadata\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\GrShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\GrShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\GrShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\Cache\Cache_Data\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\vk_swiftshader.dll

MD5 50b6baa8afafbf849557eef9a6c600af
SHA1 8f050d6b8a89be5d27209ae26c90874757a8eb5f
SHA256 b1bdf61233010357f8bf5d5837719229b527581ac2ebcd5c9662f04471f2cc9e
SHA512 60866cc0fd0aa65febdf1da751701bcaf3cd90edf3cca3a8b3058c1aed26b56ba74332be697d22b30214446234477030a86605cc71b85940ea8adc6c169e7f35

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\libGLESv2.dll

MD5 acd281e2a183ef45f130663118d20897
SHA1 dcab723cc20477a40d99a62e6bbfb75fa470c47f
SHA256 6cebea494ff17a5ec8c54b7fd5e13834eae556178ac42e7eab545263646aa080
SHA512 a59c491002224e86b4598104927b4c10107bf964ea7ad192f9ac6dca8a9a5b39d0e37c888c6d2e36234eb0b48c60a55da36852d377f4a506ca41274f834703ee

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\D3DCompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\v8_context_snapshot.bin

MD5 0753b1e35ebc257c8511b6f219fac1ec
SHA1 7acd65cbcc253130b0127a0a189601671e9fc1d1
SHA256 ddd3a5acffc4e8d6b9211c84733debdf394c3cb12d702598e1a5e56b13c89c61
SHA512 b9dfac660d834aacb30e6e1e272c4f0669659514f48aadc8b5542dd42ca1bd5aca4bbd00941c2ccacccc9ca068f133623dedc9994f5ccbbf1ac36bbdef99aee2

\??\pipe\crashpad_2060_XWRBOSHKUMLIQEXB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\Code Cache\js\index-dir\the-real-index~RFe5c40c9.TMP

MD5 bdd018bd76e9fc290dd8d2fa044c5b9b
SHA1 1249c67739d30f9638b8f9484c4ffa4c6f206656
SHA256 6e3099423316b7e0d430e701cb977e8e7a8e01034b5f930bcedc4179baf5ca2e
SHA512 7a875fbd20ceaaee18002ec97e81a56a1ecfc09d05bcc405c41a770f7055877091afa61c53394587a4d4ef9a171f1437daa6987862e07ace4d855ccbb2418464

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Local State

MD5 ea2023199df874e425ce4942150106a7
SHA1 ca0fe556bc4b882c4ff437cae6ff46959a8975d1
SHA256 29fcb76f96b47edf73a7cc4d6132630e05efa822ade14b350e6bcb5a3d86a07e
SHA512 c8f597b5039df15072bb3439438ee91d3087554716c137f6e11de38618fc163c714f2d4aac5ed70d88dc165809b136443424b829b642809a36a1e6e50504cb0a

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Local State~RFe5c40c9.TMP

MD5 8ea21402e20e49583c1f94d1dc0ba156
SHA1 c9dfbc8d7b9c77a02707b0a196f503dca7e8f827
SHA256 7c5a37f3442a67aaecf968948f810b1d1b2cd58877f9015313966c9b84e50edc
SHA512 37763b1610175e6bab8215a18f611a9271864d38a19aeaea5283a3eccf827d0c49acc6e426a724316a43d572dd5a6ef2432ba8bf41a8b7498228519c2e438a25

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Local State

MD5 214e699b3b09a7ce5b58f5c2ba1dc0e1
SHA1 4f55a0c082018255a4dec4afb1c8c872a39d0d7b
SHA256 1d592153586e0fad91857e1336d41b5c45bae07eb668b998ba9d8d3f22695bb1
SHA512 0f9f52c80e0b349429132db00198305753f65330373bb7e0e057732d40281e3fd6984b3a89cda09a45d18f8448db321657c52e40656f91bc5c92c864c743e895

C:\Users\Admin\AppData\Local\Temp\ylwy2j5u.l0p\Default\Code Cache\js\index-dir\the-real-index

MD5 e57ceec1d28a75d24944336631c4e79c
SHA1 38fc7c53958ee2ab27cd708a5ca76039979b8940
SHA256 a9eb49f4f0bc31691080b3caafb498c615fa50d38b88f0c008e379c6f1725ff7
SHA512 3efa61dbeff013a9b7238993b989cbe294c4c95438c8bd08166cb818eddc1ecf23a80e3d9e0130e3104cb3997b494d360b7c65d1d3f1cc8004b8eb7f552db759