Analysis Overview
SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
Threat Level: Likely malicious
The file Roblox Account Manager.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:58
Reported
2024-11-13 18:59
Platform
win7-20241010-en
Max time kernel
27s
Max time network
36s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C0FB9C1-A1F1-11EF-A5D6-7E6174361434} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Roblox Account Manager.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
Network
Files
memory/1656-0-0x000000007490E000-0x000000007490F000-memory.dmp
memory/1656-1-0x0000000000AB0000-0x000000000101C000-memory.dmp
memory/1656-2-0x0000000000740000-0x0000000000786000-memory.dmp
memory/1656-3-0x0000000074900000-0x0000000074FEE000-memory.dmp
memory/1656-4-0x0000000000A20000-0x0000000000A46000-memory.dmp
memory/1656-5-0x0000000000A50000-0x0000000000A6E000-memory.dmp
memory/1656-6-0x0000000074900000-0x0000000074FEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config
| MD5 | 0a86fa27d09e26491dbbb4fe27f4b410 |
| SHA1 | 63e4b5afb8bdb67fc1d6f8dddeb40be20939289e |
| SHA256 | 2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d |
| SHA512 | fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d |
memory/1656-11-0x0000000074900000-0x0000000074FEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD960.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD992.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45ee46474cfe42202111f6f9ef4518ac |
| SHA1 | e2a71f952f3dd6ae65ebc4af97c5146d873dca87 |
| SHA256 | 7310496ced4308260dda57dda8f780c2b76935283e500572688507995d9e2355 |
| SHA512 | 7ff523a627850eabce236803e6ce36694a0854d548333bb259dcf3a43e23a426fe4ceaf0285fa44874635928fe681362e002fec7275753208142bf6f31fc9471 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 379ed3684aa7f7288affca848dd35b7a |
| SHA1 | 3c887f3be704935cfdc4347fce8401d587cc35a3 |
| SHA256 | a15a6766c401fc37c47607278922f15ece425338711f3c8210c89842b3c5492a |
| SHA512 | 7e226760d5aedeacbdf2e4077e12c471a643104221987d088c5331f1eb3a5b43aceb9a4e17ffb1beb43614a6c93d01e40b633ec25d130895e8cef7da0ccd218c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f98696009cc75a2c0f66ff0ac88d020 |
| SHA1 | 69fc8bf3bbcc1bab72433ccbb602617741320e63 |
| SHA256 | 5f7951c8815e18174d8e88222371a42a30132ddad0ae685de7c82221f91df113 |
| SHA512 | ed8101d20538d4e5aa99c7526ff5047e2ff810ce15c57324f7c0062f6f6800500562fee7202ad7b902cc4f90d474090e87a864d91ae241312be7173e4f4cf390 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d30e08ad6af8f26f16507fe02bbd654b |
| SHA1 | f2a66999fbf90e33b94671eeb8b12ed7d689e22e |
| SHA256 | d4974212df2f6bdc777ff5776e19b959b956e512c778a9ef6e38ef0675309216 |
| SHA512 | cf4fdbe89440c88aa775c9bcaac0b46800f292fd538453f14e41e79f35f8259c688c0a48dc58617b31491cc9f0ef3f231f7feab33d26793168bc5b4090b84caf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a2402de310703a6aec1dc3a24a2f98c |
| SHA1 | 76e531a3aa0e4188a214b0df8c029adc0f7702a9 |
| SHA256 | cb2b41fcd6f3591169528b6981bc09ae8c91de19a99a918fc6d12df6ca07e050 |
| SHA512 | ee048efb7362a7d18196060eefd1926efa1e841e1945588caed555f9d29363035c35a779d228755fbf0432b800550b828970b6b2701d8e1a5a112d9d3cf5a6b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a80e89effb53fc77912863baac89dee |
| SHA1 | bc8006948f7aa6245431fc9706e312f9767b70f2 |
| SHA256 | 7c2c3c75be9eda47f3ee9ef60eba2557c5249aa4c5b6df04bb9ca4a4af6b1816 |
| SHA512 | 170160afcb62fb7de2b4e58ec2bcac4ef23ecee7aab7e8fafdd3988a58f2145eb12d54006685c6774595377ce502321b4fdd9d4992ae0fef69e1ad369fbd40ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab3b5e019dab1d504b617de9b03029bc |
| SHA1 | a58e4b0caaeba72f6216ab762078a82b0cee7b73 |
| SHA256 | f26d3e020440248f6bae6615ebf56ecd72d0613f0b31b62310c591d11bc1d5e0 |
| SHA512 | d3f24e3b1a249b3c597356b6cbd5d978e3b1d962fbb51c48fc7a65a08aaea455b02f53cdcac683347a5897fc0eaee261019b6f3138366fc6e2428592a8596c98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff3026b94314cb9c7b663fcc2476b814 |
| SHA1 | 22e7b1a4930f0f5916133ab6d87fba649c61190d |
| SHA256 | d15d33e3221deba403526c01067668e0f2c268cd0c67b03df98097992b7caeba |
| SHA512 | 0df924427100ff7799c7f9ed586086b4e5d5e9f6f2926fb48adfb09835229cc75f625042de59bec7a8e6557d87f0e8ecf421d929ab5f44e40481254426c8841f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ab1c77474ab1fb98d196593c481c5a3 |
| SHA1 | 9cf33af880aa8703433cf70371aefad0207da4d3 |
| SHA256 | ea75f64111d68e2c57472a4d702571caf976a104f072a926dc1bad7d2a147fc2 |
| SHA512 | 87c18f2971c9e53ac044d817abd41d8acf13cb20b28c6593015390ffa7a6ca61ffeab1766e94991e7f3fc6d4147b41f0a2ecc1f9570228858089f89b18d71968 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3d8654b74a904af122c38ab025dda5a |
| SHA1 | e4dff7466e2163ea96a51db3f68203ead2554093 |
| SHA256 | 59bccfcd7cdbc12b1a759677abcffaa0077cc93247f1719169a12442cdac0fd6 |
| SHA512 | 607f71303376ea2bb69ee06a5a6ef7ef00ad6f7b3b4d7b6987653e8790a4ad7e98f75813a361ef428de3d2a0717a0b231e8135c463cead2922a6de29bc5dc5c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:58
Reported
2024-11-13 18:59
Platform
win10v2004-20241007-en
Max time kernel
45s
Max time network
46s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcredist.tmp | N/A |
| N/A | N/A | C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp | N/A |
| N/A | N/A | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp | N/A |
| N/A | N/A | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e7802eac-3305-4da0-9378-e55d1ed05518} = "\"C:\\ProgramData\\Package Cache\\{e7802eac-3305-4da0-9378-e55d1ed05518}\\VC_redist.x86.exe\" /burn.runonce" | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mfc140jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140kor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\concrt140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140ita.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140kor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140_2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfcm140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcamp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp140_2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\vcamp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\concrt140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfcm140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140ita.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\vcruntime140_threads.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI683.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{C2BB95AA-90F3-4891-81C1-A7E565BB836C} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{84E3E712-6343-484B-8B6C-9F145F019A70} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5804dd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7FB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC71.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e580504.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5804dd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5804ef.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5804ee.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5804ef.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vcredist.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.42.34433" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{84E3E712-6343-484B-8B6C-9F145F019A70}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\217E3E483436B484B8C6F941F510A907\VC_Runtime_Additional | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{84E3E712-6343-484B-8B6C-9F145F019A70}v14.42.34433\\packages\\vcRuntimeAdditional_x86\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA59BB2C3F091984181C7A5E56BB38C6\VC_Runtime_Minimum | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\217E3E483436B484B8C6F941F510A907 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\PackageName = "vc_runtimeAdditional_x86.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA59BB2C3F091984181C7A5E56BB38C6 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\217E3E483436B484B8C6F941F510A907 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\Version = "237667969" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Version = "14.42.34433.0" | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Dependents\{e7802eac-3305-4da0-9378-e55d1ed05518} | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\217E3E483436B484B8C6F941F510A907\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34433" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{C2BB95AA-90F3-4891-81C1-A7E565BB836C}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.42.34433" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle | C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\PackageName = "vc_runtimeMinimum_x86.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{e7802eac-3305-4da0-9378-e55d1ed05518} | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA59BB2C3F091984181C7A5E56BB38C6\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\Version = "237667969" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C2BB95AA-90F3-4891-81C1-A7E565BB836C}v14.42.34433\\packages\\vcRuntimeMinimum_x86\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{e7802eac-3305-4da0-9378-e55d1ed05518} | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34433" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\AA59BB2C3F091984181C7A5E56BB38C6 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{84E3E712-6343-484B-8B6C-9F145F019A70}v14.42.34433\\packages\\vcRuntimeAdditional_x86\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Dependents | C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\PackageCode = "2A6913A281E36934992C8D584A14C6CB" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart
C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp
"C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=692 -burn.filehandle.self=696 /q /norestart
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe
"C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A8FAFE9-2048-4AA6-BC7D-D6D91F103C54} {349907A8-497E-4A98-9CB0-E0247F4C065F} 3708
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1012 -burn.embedded BurnPipe.{D3388C1E-F793-42EC-A0C3-BE2521B056DD} {1B68CBD8-8786-44AA-A526-46BA0A3BBFE3} 2684
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1012 -burn.embedded BurnPipe.{D3388C1E-F793-42EC-A0C3-BE2521B056DD} {1B68CBD8-8786-44AA-A526-46BA0A3BBFE3} 2684
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4E339662-FF8B-45C4-B2B3-5A877E8331AC} {54DB1252-6682-4A51-A77D-F4B633365CDF} 3828
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aka.ms | udp |
| GB | 2.23.205.167:443 | aka.ms | tcp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| US | 199.232.210.172:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | 167.205.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | clientsettings.roblox.com | udp |
| GB | 128.116.119.4:443 | clientsettings.roblox.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 142.250.179.251:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.119.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| GB | 142.250.179.251:443 | storage.googleapis.com | tcp |
Files
memory/2356-0-0x000000007488E000-0x000000007488F000-memory.dmp
memory/2356-1-0x0000000000B40000-0x00000000010AC000-memory.dmp
memory/2356-2-0x0000000006070000-0x0000000006614000-memory.dmp
memory/2356-3-0x0000000074880000-0x0000000075030000-memory.dmp
memory/2356-4-0x0000000005A20000-0x0000000005A66000-memory.dmp
memory/2356-5-0x0000000005B70000-0x0000000005C02000-memory.dmp
memory/2356-6-0x0000000005AD0000-0x0000000005AF6000-memory.dmp
memory/2356-7-0x0000000005B10000-0x0000000005B2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config
| MD5 | 0a86fa27d09e26491dbbb4fe27f4b410 |
| SHA1 | 63e4b5afb8bdb67fc1d6f8dddeb40be20939289e |
| SHA256 | 2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d |
| SHA512 | fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log
| MD5 | a02e8a8a790f0e0861e3b6b0dbe56062 |
| SHA1 | a3e65805e5c78641cafebc1052906d7350da9d2e |
| SHA256 | 7fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594 |
| SHA512 | 108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42 |
memory/2356-14-0x000000007488E000-0x000000007488F000-memory.dmp
memory/3572-16-0x0000000074880000-0x0000000075030000-memory.dmp
memory/2356-15-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3572-17-0x0000000074880000-0x0000000075030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\log4.config
| MD5 | e4659ac08af3582a23f38bf6c562f841 |
| SHA1 | 19cb4f014ba96285fa1798f008deabce632c7e76 |
| SHA256 | e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5 |
| SHA512 | 5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249 |
memory/3572-20-0x00000000066D0000-0x0000000006744000-memory.dmp
memory/3572-21-0x0000000006880000-0x000000000688A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini
| MD5 | f18fa783f4d27e35e54e54417334bfb4 |
| SHA1 | 94511cdf37213bebdaf42a6140c9fe5be8eb07ba |
| SHA256 | 563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1 |
| SHA512 | 602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071 |
memory/3572-23-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3572-24-0x000000000B520000-0x000000000B55A000-memory.dmp
memory/3572-25-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3572-26-0x000000000C250000-0x000000000C25A000-memory.dmp
memory/3572-27-0x000000000C3A0000-0x000000000C440000-memory.dmp
memory/3572-32-0x000000000DAD0000-0x000000000DB28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini
| MD5 | 1d917eaf5dcc8e06dd032c33f3a3d36a |
| SHA1 | 1eacb4eced22393fd5140910d30070f2e054e2fe |
| SHA256 | 787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f |
| SHA512 | 3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd |
memory/3572-34-0x000000000DC80000-0x000000000DD32000-memory.dmp
memory/3572-37-0x000000000DE80000-0x000000000DE9A000-memory.dmp
memory/3572-38-0x000000000DEB0000-0x000000000DEB8000-memory.dmp
memory/3572-36-0x000000000DD90000-0x000000000DE84000-memory.dmp
memory/3572-35-0x000000000DD60000-0x000000000DD82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
| MD5 | 8a6f4f3282236325360a9ac4413b7bc3 |
| SHA1 | cb617803813e969be73f2e0e175a67620e53aa59 |
| SHA256 | dd1a8be03398367745a87a5e35bebdab00fdad080cf42af0c3f20802d08c25d4 |
| SHA512 | 2c1facb8567a052b4fa65d173b0bda64fa5fded2cddb9073b7c28507ed95414c17d2839d06d5e961617c754cda54d6134964b1aff5c9e9cdfbace71f1de2ac3a |
C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp
| MD5 | f7aca1ef43beaa02107214482e6b51d6 |
| SHA1 | fb5cec36519b148119dec501cec92d894eb3b60a |
| SHA256 | 169b8f7025b301ffce5402c98c07f9e01bbadce52a2961175b777279f92624a7 |
| SHA512 | 82cf5ebaa0a16e229b82e2dd550d7ab76409c89b4cfb7f163d1cce6d156db737ec5a09a3aa832b4076039665a6044aaeca3a6d311f8264492707ae281bbe7443 |
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.ba\wixstdba.dll
| MD5 | f68f43f809840328f4e993a54b0d5e62 |
| SHA1 | 01da48ce6c81df4835b4c2eca7e1d447be893d39 |
| SHA256 | e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e |
| SHA512 | a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1 |
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
memory/3572-101-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3572-102-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3572-103-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3572-104-0x0000000074880000-0x0000000075030000-memory.dmp
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\vcRuntimeMinimum_x86
| MD5 | 975e07089d93c2540f0e91da7e1e0142 |
| SHA1 | e65a155b9f88cabf6fc34111751051f8872f1dc2 |
| SHA256 | 16547c99e9dc8602603beda79bb9099d06b2f0e06273660aaffd3193d82e8bf5 |
| SHA512 | 047ca9eaf996b5b89cedf0f9e9d7544cb8700bba02e10aa90fbd283fdebb2e1ec98295569f145e0dc9bbf3dbd44f64e4d02429cbcdff7e149f2804c135ee2595 |
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\cab54A5CABBE7274D8A22EB58060AAB7623
| MD5 | a04f3e3bd8684cf660619e0f6af4d751 |
| SHA1 | 2b5b1a39de1faa20d9a5774ec7b27dee5f6fc065 |
| SHA256 | b31b87a09f3aa2df573050949e87a68eeda01cb80dc974714d0603cea2c0708b |
| SHA512 | fb3c081ad9f23661ed6f167ca878469d702f5cb60c15bb6d04c21331b43f8b88d98a680ad74ff5855e4c286260452be9e25b49b5b245d14fa30297cc8add5828 |
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\cabB3E1576D1FEFBB979E13B1A5379E0B16
| MD5 | 654f67c3c99d57a0008427141bd1cfc6 |
| SHA1 | 60887d57c8910a5034379ddc7a0ad5e2c2bfcde6 |
| SHA256 | d87d9b997b91f9e375bf3cf994b67882ce21c0fbd4d0c4611dd6f593d4a8f3be |
| SHA512 | 0f3182a9c923a51f9ffed2e8639f9bcb72ace859c6253aa860a95c2c67c6b9d80d7945042460a7f73e357614b149c9d906c101f800724825279f07902571a064 |
C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\vcRuntimeAdditional_x86
| MD5 | 95715c58dd2864b361dbd9e651b2f5ad |
| SHA1 | c8b19282b7950e7b8e106b5bbccad4fc7b3aa661 |
| SHA256 | a6447de0d0d5b56b50988ae350432d68e9d83fbb566e2fcaa3f758a2b2574fea |
| SHA512 | 10eb258d1c1ab690e03fd782316133305530a7a50769263176765862a754dcf5ec258ca5805d2be447a53b29b3557b519a6cec812208d88982201c86ea8d5fb3 |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241113185840_000_vcRuntimeMinimum_x86.log
| MD5 | 9a1dc6daa8c48aa9e8685d0606a4670b |
| SHA1 | c4b018bf0b67df434c9f19ff354f367223129d1c |
| SHA256 | 620c8e665241626f8e718d07ef7aa387d6d3ea2e5be09cc8cd277701b2befaf0 |
| SHA512 | 519cc0425a6b81a638321327123ca483bede7f30d300082e75ca0fb8208e8dd7fc6cee996fba73d02b4242ffcf2b7034893b141ccce16dc8ed40ffc62c1bce76 |
C:\Config.Msi\e5804e2.rbs
| MD5 | eba91d1051392eed50ea8615e38f7bce |
| SHA1 | 02d8ba8d82570da3efe5411a662665358096194d |
| SHA256 | 7f13905ae608dd776c23848162c17d54e6a3685791c6586d466b831cab61540f |
| SHA512 | 254f73e49478411cac8731b572813f94e26d4589ac911d9d1357c6f93c9c2b99d65b3effb2a74bb076d85bbc43a292212722af0aa8ff40c7ff84f7b7baf29d36 |
C:\Config.Msi\e5804e7.rbs
| MD5 | ed1d2c88ce86a3b69ffc753b44f022dc |
| SHA1 | e863f5ec37b050e5f4c2c3e95ef4b852cb9e3dd7 |
| SHA256 | 012e2c927264d01f4bb94efb3ea6a9da2061a606316a274c8c75f395d1ff25af |
| SHA512 | 23bea0657da6b20c55ef5b6ffec9315e11517c4c875306e5789dfb2c72bdd0379ae6aff3e54c3c6b3702f10ba32730cf8057c139c8d163a7831f1a7868893720 |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241113185840_001_vcRuntimeAdditional_x86.log
| MD5 | e0ae1f45f01225700de95f9a7c349ad8 |
| SHA1 | bc16f0659a66544a11e4b263536255e24eb00696 |
| SHA256 | 7e6f5778b44e0eecdbf43ab456a4eed69ef268c77ec49770127d77d68469ba0a |
| SHA512 | f0104a6df2ab25ef124cc4892ddf796366426f109710d23008404d35051f7a73a0a1d773ce60b91f35cd7f7de4dde2126da636116e45354423a3209e28c541de |
C:\Config.Msi\e5804f4.rbs
| MD5 | 18a8b5870e62bcf29feca977815fd4d3 |
| SHA1 | ca053a915824dfcc6f6b4f701288b903217c3321 |
| SHA256 | 26591603742a2685916f64030b9396756d212b77ddadb518c4f314665824a845 |
| SHA512 | 8dbd5b51435a23eb582fb5dbbd7d17744ac36715ce47d76195565a77dc98d6f781a09bf9d0814f01b608c05d3b07a88b06cd1d1346e163a144079cc0e7c6e4b5 |
C:\Config.Msi\e580503.rbs
| MD5 | 6ad131228617e5361dd62da1883ef5a9 |
| SHA1 | 0f062d17e4f18ed38eaf1301087047215afc4c3d |
| SHA256 | c209bec3a939643a9848a0d9c42941b6efbb1bd971454b0f31b69c0fb67b67b5 |
| SHA512 | f295cf10dfdf136927cb9592da872c2dbb1485aedfd0f5005d00b585a5c6506f02868c451a7fb4ff944f0d6c2cba273cc0ba636b3736d338da3efcfc811b9ca4 |
memory/3572-196-0x0000000005290000-0x000000000529A000-memory.dmp
memory/3572-197-0x000000000C920000-0x000000000C932000-memory.dmp
C:\Windows\Temp\{90783B29-B416-4509-8278-0773C0ACF7C3}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
memory/5024-260-0x0000000000D70000-0x0000000000DE7000-memory.dmp
memory/3828-297-0x0000000000D70000-0x0000000000DE7000-memory.dmp
memory/4572-298-0x0000000000D70000-0x0000000000DE7000-memory.dmp