Malware Analysis Report

2024-12-07 17:21

Sample ID 241112-m4dk1stral
Target Roblox Account Manager.exe
SHA256 be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
Tags
credential_access discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

Threat Level: Likely malicious

The file Roblox Account Manager.exe was found to be: Likely malicious.

Malicious Activity Summary

credential_access discovery persistence stealer

Uses browser remote debugging

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Blocklisted process makes network request

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Checks system information in the registry

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 11:00

Reported

2024-11-12 11:02

Platform

win11-20241007-en

Max time kernel

73s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4373d0b5-4457-4a80-bad9-029de8df097b} = "\"C:\\ProgramData\\Package Cache\\{4373d0b5-4457-4a80-bad9-029de8df097b}\\VC_redist.x86.exe\" /burn.runonce" C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140_threads.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\~DF207DA3E861A73B72.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF290.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0F81566282FC5FC0.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57ec9a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEFCF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFD0CDA26265F9F6CC.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF6E6D0F6B9D3C3A47.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF3F8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57ec84.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57ec85.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{0DF1D9F9-6038-4641-AB6D-13DD654758A7} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4C169CE5372B0479.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFD7E08DAB4623AC84.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57ec73.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{D7A66DA5-B103-45C1-A0A7-736C08E2F464} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEED4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFB99CADAF1F62769E.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57ec85.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57ec73.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFAB24DDABAFC7B342.TMP C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vcredist.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758829123454283" C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D7A66DA5-B103-45C1-A0A7-736C08E2F464}v14.40.33816\\packages\\vcRuntimeMinimum_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\9F9D1FD083061464BAD631DD5674857A C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Version = "237536280" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33816.0" C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\PackageCode = "74A59C9CB7128C440BC689986566ECC7" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\ = "{4373d0b5-4457-4a80-bad9-029de8df097b}" C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33816" C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0DF1D9F9-6038-4641-AB6D-13DD654758A7}v14.40.33816\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33816" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.40.33816" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{4373d0b5-4457-4a80-bad9-029de8df097b} C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33816" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{0DF1D9F9-6038-4641-AB6D-13DD654758A7}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{D7A66DA5-B103-45C1-A0A7-736C08E2F464}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5AD66A7D301B1C540A7A37C6802E4F46\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5AD66A7D301B1C540A7A37C6802E4F46\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A\VC_Runtime_Additional C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F9D1FD083061464BAD631DD5674857A\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.40.33816" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F9D1FD083061464BAD631DD5674857A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2940 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2940 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 4896 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 4896 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 4896 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 4244 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp
PID 4244 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp
PID 4244 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp
PID 1332 wrote to memory of 2612 N/A C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe
PID 1332 wrote to memory of 2612 N/A C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe
PID 1332 wrote to memory of 2612 N/A C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe
PID 2612 wrote to memory of 752 N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2612 wrote to memory of 752 N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2612 wrote to memory of 752 N/A C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 752 wrote to memory of 4528 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 752 wrote to memory of 4528 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 752 wrote to memory of 4528 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4528 wrote to memory of 1840 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4528 wrote to memory of 1840 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4528 wrote to memory of 1840 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4896 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 4896 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 1960 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 1960 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe
PID 744 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart

C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart

C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp

"C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=728 -burn.filehandle.self=732 /q /norestart

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe

"C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{DD9A5972-C36A-4E38-B543-1FBC56DE17D1} {D3755D2D-0D42-40B0-BB6F-961E71F577FD} 1332

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=996 -burn.embedded BurnPipe.{9A4E6AFE-32A4-4A56-B3E6-F657F1BFDE0D} {6CF99502-0AAA-4CA4-85CE-CD88F9DDCF23} 2612

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4373d0b5-4457-4a80-bad9-029de8df097b} -burn.filehandle.self=996 -burn.embedded BurnPipe.{9A4E6AFE-32A4-4A56-B3E6-F657F1BFDE0D} {6CF99502-0AAA-4CA4-85CE-CD88F9DDCF23} 2612

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4041330E-BB89-49D9-919E-1BC4DC5D44BB} {6505A2E2-0452-4225-AC66-5E557750DE13} 4528

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= about:blank --disable-web-security --window-size="880,740" --window-position="200,-34" --remote-debugging-port=0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0"

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0 /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler --monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0 --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Crashpad --annotation=plat=Win64 "--annotation=prod=Google Chrome for Testing" --annotation=ver=124.0.6367.201 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fc36cc70,0x7ff9fc36cc7c,0x7ff9fc36cc88

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0 /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Crashpad --annotation=plat=Win64 "--annotation=prod=Google Chrome for Testing" --annotation=ver=124.0.6367.201 --initial-client-data=0x1c4,0x1c8,0x1cc,0x118,0x1d0,0x7ff73dec9900,0x7ff73dec990c,0x7ff73dec9918

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=gpu-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1984 /prefetch:2

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --start-stack-profiler --field-trial-handle=1772,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1704 /prefetch:3

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --field-trial-handle=2212,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:8

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2832,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2864 /prefetch:1

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2836,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2892 /prefetch:1

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:1

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

"C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0" --no-appcompat-clear --field-trial-handle=4896,i,16766091272339496740,11534123053306318933,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka.ms udp
GB 2.16.234.57:443 aka.ms tcp
US 8.8.8.8:53 57.234.16.2.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 199.232.214.172:443 download.visualstudio.microsoft.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 128.116.119.4:443 clientsettings.roblox.com tcp
GB 20.26.156.215:443 github.com tcp
GB 172.217.16.251:443 storage.googleapis.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.119.116.128.in-addr.arpa udp
GB 172.217.16.251:443 storage.googleapis.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 8.8.8.8:53 roblox.com udp
US 8.8.8.8:53 roblox.com udp
GB 128.116.119.4:443 roblox.com tcp
GB 128.116.119.4:443 roblox.com tcp
US 8.8.8.8:53 www.roblox.com udp
US 8.8.8.8:53 www.roblox.com udp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
GB 2.18.190.78:443 static.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.18.190.73:443 images.rbxcdn.com tcp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
US 8.8.8.8:53 apis.rbxcdn.com udp
US 8.8.8.8:53 apis.rbxcdn.com udp
GB 2.19.117.27:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 auth.roblox.com udp
US 8.8.8.8:53 auth.roblox.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.16.234:443 content-autofill.googleapis.com tcp
N/A 127.0.0.1:50324 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp

Files

memory/2940-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/2940-1-0x0000000000350000-0x00000000008BC000-memory.dmp

memory/2940-2-0x00000000058D0000-0x0000000005E76000-memory.dmp

memory/2940-3-0x0000000005390000-0x00000000053D6000-memory.dmp

memory/2940-4-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/2940-5-0x0000000005480000-0x0000000005512000-memory.dmp

memory/2940-6-0x00000000053E0000-0x0000000005406000-memory.dmp

memory/2940-7-0x0000000005420000-0x000000000543E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

MD5 0a86fa27d09e26491dbbb4fe27f4b410
SHA1 63e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA256 2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512 fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

MD5 72c442c0ee7dde7b3455bb315289bcf2
SHA1 d33367411ce01348f531e098495885b9d2ea110b
SHA256 180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41
SHA512 b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018

memory/2940-14-0x000000007445E000-0x000000007445F000-memory.dmp

memory/4896-15-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/2940-16-0x0000000074450000-0x0000000074C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\log4.config

MD5 e4659ac08af3582a23f38bf6c562f841
SHA1 19cb4f014ba96285fa1798f008deabce632c7e76
SHA256 e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA512 5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

memory/4896-17-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-20-0x0000000006C00000-0x0000000006C74000-memory.dmp

memory/4896-21-0x0000000006D80000-0x0000000006D8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

MD5 f18fa783f4d27e35e54e54417334bfb4
SHA1 94511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256 563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512 602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

memory/4896-23-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-24-0x000000000B2C0000-0x000000000B2FA000-memory.dmp

memory/4896-25-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-26-0x000000000B8E0000-0x000000000B8EA000-memory.dmp

memory/4896-27-0x000000000BA40000-0x000000000BAE0000-memory.dmp

memory/4896-32-0x000000000C460000-0x000000000C4B8000-memory.dmp

memory/4896-34-0x000000000D7D0000-0x000000000D882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

MD5 1d917eaf5dcc8e06dd032c33f3a3d36a
SHA1 1eacb4eced22393fd5140910d30070f2e054e2fe
SHA256 787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f
SHA512 3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

memory/4896-35-0x000000000D9C0000-0x000000000D9E2000-memory.dmp

memory/4896-36-0x000000000D9F0000-0x000000000DAE4000-memory.dmp

memory/4896-37-0x000000000DAE0000-0x000000000DAFA000-memory.dmp

memory/4896-38-0x000000000DB20000-0x000000000DB28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

MD5 d38126688b5647bf209606d07a90c2e6
SHA1 467bb2c862def52f2858e5158c96f7ac6d6dcab2
SHA256 ed1967c2ac27d806806d121601b526f84e497ae1b99ed139c0c4c6b50147df4a
SHA512 8a0991b993d5206450228454b4f83251cc311cc2b0dd105494928e03bf2e865de8ccf9676c8e7453164bb1805929a3a9616ea020524b77dbc0a6bbca0d222daf

C:\Windows\Temp\{7623CB75-D7E8-4204-B0DC-ABB6699E722C}\.cr\vcredist.tmp

MD5 38b9328b53a786141dc7d54992aa03bc
SHA1 b3de0981128c8170b70e977a21c6c7e3e8437d8f
SHA256 32e2651799071c5e6c51bdaf0df7823526b25b2f34c01f9472bb159044d62c11
SHA512 b5ac7f0675feea295be0553520fd5341e5122ea1e33d2eaffa5d9f9170f5c97b30ea5db25774c00a69ecc48f018412bb1795e357aafc7565e242e5e4025527e2

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.ba\wixstdba.dll

MD5 f68f43f809840328f4e993a54b0d5e62
SHA1 01da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256 e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512 a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/4896-102-0x00000000057E0000-0x00000000057E8000-memory.dmp

memory/4896-101-0x00000000079D0000-0x0000000007A20000-memory.dmp

memory/4896-103-0x000000000F490000-0x000000000F7E7000-memory.dmp

memory/4896-105-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-106-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-107-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-108-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/4896-110-0x000000000C500000-0x000000000C50A000-memory.dmp

memory/4896-111-0x000000000C530000-0x000000000C542000-memory.dmp

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\cabB3E1576D1FEFBB979E13B1A5379E0B16

MD5 512cc3e31ba72999bd0be1ff2faf59df
SHA1 56210834f64afa1800def2bc26d421e78c056639
SHA256 55b0b98e9222a6f43c644bbf6f642267535d08270dce52c09e0f31b98385ffb0
SHA512 3c912488fdbd9b6f01e87a189f825b77c186d018df9ed27fe554644eb0b40fdeac8903f7ee99a77c740c75b27056fd7977e47810144714052539308d16a7df67

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\vcRuntimeAdditional_x86

MD5 4879fe953ed435ca08589645b8eec144
SHA1 bc58d6f3ed69be01690d97c59dafda612cbc5f2b
SHA256 0ddc3f10282fdb663ac92ce5930e46cf996a4b42b592b9911b4001d12d4178bc
SHA512 222cb3f93b5d759c87077716f9cc95f152997e6c95a13aae8a4e789c274836ba41a03b6e08926135efdc8cd8413b47f02f34ddd4f6c7622ea98458b6e06d24ce

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\cab54A5CABBE7274D8A22EB58060AAB7623

MD5 c15278501772ebaf95ab908b94a552f2
SHA1 cf9c8ae523d9a6ed2797be072c9f659b9ed5dadb
SHA256 17d7bcb6c05f6c422f1bfbf5db923fc7d1427ec578968b75403830e759853b07
SHA512 f109a3af129b0025bd6dfb141d27e3d336145bc70c1fde590e44e4402d479680ca91ac0bc8cf8cd854e05a74c649719822218b2a1f58f75cbbaa9f03c9aeaf93

C:\Windows\Temp\{B0A067A1-63DC-4B08-AA99-C2DF04170D78}\vcRuntimeMinimum_x86

MD5 aebc9db05b27963bdd7dc5f3c7eca0a9
SHA1 31d6f6cabd5fbfb7c2899d481f18e18930dbfdfd
SHA256 d9598b33dc795da4cbd520b790c45507cbce3976576e0e506b388c5f7ac3290c
SHA512 564d945821d80e27fdffcfdafd79c72d498018067a74e85fd6ee595a6a09453ae0fb1df41b430f656001bafc1b0b89c5433bd5aae48c179daa7a8a8732090c63

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241112110116_000_vcRuntimeMinimum_x86.log

MD5 e1b7e2d925c91471c920b69f0c916fd6
SHA1 0220017d067d4a1eaa2f4291507e2f0a44bd2a5c
SHA256 5fd3d8438cc0b263aed132a526253050cb4b70d3ca3b0f6aa068337b505e1ac5
SHA512 cd7a72ca038c8bec5de9dc05dec688f323ed15967a4bf4ea198ab3d23eab281dea6da50ddf4c72bb880627040cd740d61ba72f5f28ab2fe31eb8796ddf2acd0a

C:\Config.Msi\e57ec78.rbs

MD5 9064ae5dd30202efc652ef8bd8239216
SHA1 32a22da5b6d1f536e70a308c60d7b65e55e08209
SHA256 524c5275b1eba06c9ef5691d10aa2e074c0c1da0106f3ab6a520c1f60c363fd0
SHA512 f213ed3359372c3a06140ceba0d6648bc085ecba75160497af33fded4aeac250f79c81926f00ae44e7cdae05e3ba9f10364f3fd9d2df36288b39d3c5a2b9777d

C:\Config.Msi\e57ec7d.rbs

MD5 42e6aa57f516d15809959ee3a38017d2
SHA1 4a2243fa1564a7feaa72e77af83d41a427d5a28d
SHA256 aa72ee8a0c1ef0e9c096f1c14824719e28916de7f7d791d434c2b683829e8f83
SHA512 4237cb84f8d7d063ed28cc6f6d08c5ad364faafa12d7baf8cf78d090fc0435491def03c34815a8ebe9752a2b16c9ec1ac8f678b43b529004e2ac423f233c0b61

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241112110116_001_vcRuntimeAdditional_x86.log

MD5 352d63abf7831a676c9d71ee4ab7bd96
SHA1 232d820df844915543797dd29dbc39fc4b7894bc
SHA256 fe209abaab5d112304aefe31c02f4d965e7ab557692e0e219da936b6bb10ddc5
SHA512 0632c6dc07db69e2e36078da9489b13a4c741064f5db35edc0cf55576771a7b78d82bdc9a2ab1379f4833d8203c622b49b4a0bd94f859a9ea040b74d5c72e846

C:\Config.Msi\e57ec8a.rbs

MD5 0821a9f832a820426edfdded735b5bc0
SHA1 9a7626d0da0b156046c3bb14acd6dc40ebf7813d
SHA256 17e042d78eb25dbbca9d9b55cd7cc336eae44d48a1f3df1c8d0ec0a5828703f5
SHA512 dd025ad0966fca6be1b5121b40fd52b53ca5e4c57977ad084b883205c41a5b213dc3716b99a0e161c7aea28f4274cdbc9a59e0b4976cc15a6d77099d16c8916b

C:\Config.Msi\e57ec99.rbs

MD5 67b0065144258368be15b5507274986f
SHA1 63b221e383ff8ebd0c5b258518625b93a170a59f
SHA256 311536c0f81157f7993f187bc1bb13019a52c4be4375077c67169c8f2a1fc50a
SHA512 80ea4faa8330d68bfbb347c3ef4e22410220814065856afe9abd0aa1baad8f6767442ec566d04c93b1eb090b40bd3907ac868760ea4a5480c9727183f75d0a41

C:\Windows\Temp\{E6EFEBBD-B3BA-4EED-978C-6C49D1B0EF35}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/4528-457-0x00000000004B0000-0x0000000000527000-memory.dmp

memory/1840-420-0x00000000004B0000-0x0000000000527000-memory.dmp

memory/752-458-0x00000000004B0000-0x0000000000527000-memory.dmp

memory/4896-525-0x00000000060F0000-0x00000000060FA000-memory.dmp

memory/4896-526-0x000000000C4C0000-0x000000000C4CA000-memory.dmp

memory/4896-527-0x000000000C4E0000-0x000000000C4F4000-memory.dmp

memory/4896-528-0x000000000C550000-0x000000000C58E000-memory.dmp

memory/4896-529-0x0000000007D30000-0x0000000007D40000-memory.dmp

memory/4896-530-0x000000000C510000-0x000000000C524000-memory.dmp

memory/4896-531-0x000000000C6E0000-0x000000000C6E8000-memory.dmp

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_elf.dll

MD5 561916711c707fe011411fd3d2cf71a8
SHA1 f7780da112a6abb515e7a9883810cf82a634674a
SHA256 0d2ccf801ceabba978a77238e1b79afc9a66983a11c07e011f876c063a71ffdb
SHA512 29b11fa1ffff586df4bae7a141a5e69500e327b54aa19efc32bd5bdd2f9652bbb641bc7bdc3116c95ca27022022894da5f9c94c987ce6c9793fce93f668b9c5a

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome.exe

MD5 f26dfce9583f0d7d41b31ee11e56be43
SHA1 5718e9ea9c5ec6888a3d5eae9c090b0880414b0a
SHA256 613536f294de53d1e9bb53a31269300fef4427f5e461ff6c7a1de3fa88c7667c
SHA512 88447cf2767667a2d470b62b2f2be79483343003e40e02deeafc20ea27d63b66cd336ceede04f850edb920009672682e32290050b18daf9c575bd020d7bd4966

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\resources.pak

MD5 d092e6572493590a6cb2498e029509dc
SHA1 f3564c4fec2e855486d63a90e34b1abb59e40ecb
SHA256 103ba11595d71025abc07c1f32e9f0fa11d9a191afeba6ee950154c5b358ac0b
SHA512 e8894be07117dd7fa624a8d48dafa9371623bad475bc2523eaa5d0da1aa026deecb03062678a35a79c9798d5215a008ed812548ae2107d22bbe226940499d7ff

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\locales\en-US.pak

MD5 a8af211968e7d1fbc577fc55e1859f6d
SHA1 1fbf54c0be76318b4c4ede2daea08191221df890
SHA256 92efd174fffe9e958e20edf1acdb9394ce81ae38b9d1a04203cb35585ecbb5b7
SHA512 11c2d88467135e8d39c06dffe27be53c471d0c917b1767050d6c36dd7701ecac22680313203efc312ac6ffe867da658cc38ccb9ba19962e78a5accc6e5df0e21

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_200_percent.pak

MD5 e7f0c4a2f06aa4c40206cdc1bfb9166e
SHA1 14679473561d6f3d710a2514620e2f97650e5791
SHA256 3cd793c813d79579e5dafb3b63204e2ccb525f6b27a6dc25525c9fafabce4d29
SHA512 fcca36df17760212654f3d08a0265fbce42b51a3ca13e70012dd723fd6ea084775036744fe32d0439fcf496c2fb2d5a733fbb87bdd3f318a64bb4611c7ff5f58

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\chrome_100_percent.pak

MD5 f796340aed680b64c37657912c63b050
SHA1 8fccd026e7e88c733cbd37b495e9e0afff0b24be
SHA256 329113e1ab3c6ac34d8375fd0a66e6ba12c1c49675101d10e231316b5a14c8c2
SHA512 98a8d6858b23bebdee8c7d13d5534aa568bffd2e9c030aec2263778ac2bdd7dea5c7e38b942352089ec4123d789eeaa2376623fba652e119db61cc006d3ace56

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\libEGL.dll

MD5 06ed270c198a3d563ee931ac6f825683
SHA1 3c34e2bcf9099413a176085a3e1cade95035d3d2
SHA256 89c3cf5576b06b8114450f55f16f5fa0c2197db45a7ef0e57bc0eda872dcd6f5
SHA512 e865bae51bc2c2687049919a5581339a70f66beb9eb62488830be06ec1892f8bb11bc5728f9c7665469dae7333bfa110312696d954f19d0c86aad8277453a713

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\dxcompiler.dll

MD5 6caa5cb29ca313e5facf1ecb9bf1bb0e
SHA1 1c57de100aaecdfd5d57305a33bc15bee78822be
SHA256 81b7a214c95ca2462addcc6061604fc69c4393f1fc2b4457e015f38cb7d54093
SHA512 dfef239eab517de44435a61d199136e1a44a450ad2ecbfe4d542b4be57dcbb2948a6c553e2e56920628e4e7eae6db3f2a7aeefca6e3854563838ef2ac2deaa52

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\GrShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\GrShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\GrShaderCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\GrShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Extension Scripts\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\dxil.dll

MD5 30da04b06e0abec33fecc55db1aa9b95
SHA1 de711585acfe49c510b500328803d3a411a4e515
SHA256 a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68
SHA512 67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\vk_swiftshader.dll

MD5 50b6baa8afafbf849557eef9a6c600af
SHA1 8f050d6b8a89be5d27209ae26c90874757a8eb5f
SHA256 b1bdf61233010357f8bf5d5837719229b527581ac2ebcd5c9662f04471f2cc9e
SHA512 60866cc0fd0aa65febdf1da751701bcaf3cd90edf3cca3a8b3058c1aed26b56ba74332be697d22b30214446234477030a86605cc71b85940ea8adc6c169e7f35

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\v8_context_snapshot.bin

MD5 0753b1e35ebc257c8511b6f219fac1ec
SHA1 7acd65cbcc253130b0127a0a189601671e9fc1d1
SHA256 ddd3a5acffc4e8d6b9211c84733debdf394c3cb12d702598e1a5e56b13c89c61
SHA512 b9dfac660d834aacb30e6e1e272c4f0669659514f48aadc8b5542dd42ca1bd5aca4bbd00941c2ccacccc9ca068f133623dedc9994f5ccbbf1ac36bbdef99aee2

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\libGLESv2.dll

MD5 acd281e2a183ef45f130663118d20897
SHA1 dcab723cc20477a40d99a62e6bbfb75fa470c47f
SHA256 6cebea494ff17a5ec8c54b7fd5e13834eae556178ac42e7eab545263646aa080
SHA512 a59c491002224e86b4598104927b4c10107bf964ea7ad192f9ac6dca8a9a5b39d0e37c888c6d2e36234eb0b48c60a55da36852d377f4a506ca41274f834703ee

C:\Users\Admin\AppData\Local\PuppeteerSharp\Chrome\Win64-124.0.6367.201\chrome-win64\D3DCompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

memory/4896-680-0x000000000C320000-0x000000000C32A000-memory.dmp

\??\pipe\crashpad_744_LNFGAXTFJDHODGYZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Local State

MD5 0ca9cb21e163c7e9b90c19ea5f3248c7
SHA1 7707a5e0c6ade8719998026c441c70c842d2e424
SHA256 655fe28ea7bc975d1fe28cd259ab8187b14d7e6c7fd7af92caa3d09626ca27bd
SHA512 928d456fb68ae881a4e74b17660453acabc3b55bf1605d6bead2ac5c3824b261b4401576644356d5fb8b0bc715d926757201251a04963300b8c0483295fdbaa2

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Local State~RFe5851c5.TMP

MD5 16ac3479b3bb1c3ffdd0070682c900b3
SHA1 04538108a77ad67c18582d03cd3a3e1ab60c6ef4
SHA256 3029b4f2490ac12f9dacba61ddee38d89364eb84461a02a4aded1bb1767bd7a0
SHA512 7124d6bf2c248a83cb2c550f3d4cacb60bc973f75a9f04935881607039d7ad364e4823c8bd38c4e2c7ac22bed7bc1d8840a2da241fb171cfebd25af90fcddc52

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Secure Preferences

MD5 086afae8d65aeeb395212f5a875678c0
SHA1 a4161273f103028eabebb3366feb478311ad61bb
SHA256 9f2e2fb2a841e99ceeee65948b16eaa23eaec300a304ef2bde37fc5b13c55af1
SHA512 e3bc0179e7d5c63828ead4fe5a8d90aa07a8dca3e14bca73144079f4f2c8c23c96ad98b929b52d8f7742042f24f06db5c74fd38626de440ebf7c451fcc62e844

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Preferences

MD5 2f85263f41dddc02be5eeb5e11cdad32
SHA1 7bab233c42133f4b4e7c9ad408bd3a5f39c90547
SHA256 e800ed7e1aade2cc7f37f5c0d4033612ad2ded9f0a0e012421672c99b99d1604
SHA512 b72bc675af7fcbb60bb798d770d4723591130fe7a8ff335a94594b665239b4f44a2bbe05138008cca5a1c5e9b63467f00f7b11c4388e22e6bd59ce213bc66d4c

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Code Cache\js\index-dir\the-real-index

MD5 61a9a45984cdf1ff71c1482f97d9e11d
SHA1 a8a8da5b24d2c6ab0a1a34ae2525961dfe5e58b0
SHA256 8e77ae28b06601b73e5ba915d62420a9d75865a87a513dee2d75e4b35b75c630
SHA512 e992e040bd6d1b9d765f338136800f261ce2c29b496796570068bd54349d05a34ad20504b6742911f4479da2c87b59f675b1b2d50a68408f2921d236ca46d1c4

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Preferences~RFe5861d2.TMP

MD5 c22d87290e419ad43ef38a1f30f33fab
SHA1 6475ccf3fecba0c460030ec1be0f798d5a6dc475
SHA256 c96f6ed3281d5ad981bb2a453f22582bb08bec67aad352e4fcf31bc2f2605041
SHA512 059d5f08d940412c391bd2b6b6f6b93f8d857dd254bad8c7740c870c26e675f75023f0fbb9379ac455818327a55d3028b293b11eb7e936c59f7130e3799ca5c6

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Local State

MD5 f5b207d6b12b95b592a8b19a4fb55b98
SHA1 38d69587229bd23ebb9ddbbbe80b8725e76d093c
SHA256 7b76b0317b1b6fa30f34b8a3538e8b9695546e38aed61b785989bba6e27f882b
SHA512 36aa457fd89df7abef61e3eb58a30f4270a27192482bc3ccf6b64e27d0adf202d7f8385c4ce35dcab2868652b0d2afc21db2e92ba721ad01579a41585563e4a2

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Secure Preferences~RFe5861c2.TMP

MD5 2714aeaccd8642219269cdfb751ba122
SHA1 4b2d069108bc2444c2b4faa975ddebf311b54f6d
SHA256 ed79364912367127d2d9dd6f291862085d50fb79b0934fc5b53e73d77b36e15b
SHA512 45e281c9aef326ae4b1395bbf43ace1cbea9d0c19c07c732811eea290d200afd417f572da003dad16f3375c2065f4c69783cb30286900c68bfa9a43fe484f973

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Local State

MD5 8e7cd2b44f328bcc331ec96aba0bb880
SHA1 8cf5c0f42e4066ede084c9e66e7fa2f78b92ea65
SHA256 5deb364b8074d1e787ef2c1170f79904b4ac54d363665d4903fc79151835355b
SHA512 1b9a1459af074111095842f48f50bc750ce741a4d6ffc3dede6dafb65fbb78b6177476cbfde236e51e1a9e0c6c22eca1eb21ffed82720bd58c9269209755fd56

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Code Cache\js\index-dir\the-real-index

MD5 ab869525a62500318686029fc35ac986
SHA1 3a8361add8cbfc54b532c3692d18662f532226f9
SHA256 4d0b8164fc78ff2477109762aff6db928a94fc6a418af850722d15b4dd1b1f64
SHA512 16d551440452c64aae1135c5cfcaa6ed46ab4fc5e0e1038b9aa02005e32c66828932e46fb7597884ef5a715c069939681c9bcc9883ba6c94c65b89c7eb2c630d

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Network\TransportSecurity

MD5 d515ba179ac36b4bb05bd3c449a0c4b8
SHA1 daa6211e4700d60ce94458bd9bfc83061c2796b7
SHA256 33ee5c8a210d0dedf72dc67643fb0c83be79c9b1399dcc445106e3bec9638e96
SHA512 97110c020a40f3414f8a46526252fdc06243f28e0872d799ae4c75942724bdee6a54daec106d678f57b8ec5de83f653c4b31d88d1040f50b28af2e1e12732f24

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Network\TransportSecurity~RFe5861f1.TMP

MD5 51d01dde166144859ad58cb82218550a
SHA1 dcf3d43fb9fa8951eb116f6af42cd61e6c94efa5
SHA256 a8453129e421d0b164c4d0dc0948cf411719abcc434d173bd28ffabc43c1d105
SHA512 d1657c9b6019b98460196c78764b6161a7d571093218a99b3785b470e23a89af333437b9944719f7159d5aea49c39d48721ba00b28cb88d1067b827eacbed595

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Network\Network Persistent State

MD5 aec86b0c8a92e21f09b2d28ac317e5e2
SHA1 fa89bc0fa648245599422464d8a2d986760cfb54
SHA256 5b9d4287e122ec292c173e1a0d821daf0bf5c315185701822544c3eacdf8c262
SHA512 79dd656df07e8d57860e5becce0f2c634bb08d243fcc1233d00ddba439b06c8b90509eb9e3723767625d11fd16ac49acdb8b2edd6ec5167dcf0495de1197ac35

C:\Users\Admin\AppData\Local\Temp\u1ffu3vu.2d0\Default\Network\Network Persistent State~RFe5861f1.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b