Malware Analysis Report

2024-12-07 10:36

Sample ID 241113-xmjqtawrd1
Target Roblox Account Manager.exe
SHA256 be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

Threat Level: Likely malicious

The file Roblox Account Manager.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 18:58

Reported

2024-11-13 18:59

Platform

win7-20241010-en

Max time kernel

27s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C0FB9C1-A1F1-11EF-A5D6-7E6174361434} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 1656 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 1656 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 1656 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2244 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2244 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2244 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2244 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2440 wrote to memory of 1976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2440 wrote to memory of 1976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2440 wrote to memory of 1976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2440 wrote to memory of 1976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Roblox Account Manager.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2

Network

Files

memory/1656-0-0x000000007490E000-0x000000007490F000-memory.dmp

memory/1656-1-0x0000000000AB0000-0x000000000101C000-memory.dmp

memory/1656-2-0x0000000000740000-0x0000000000786000-memory.dmp

memory/1656-3-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1656-4-0x0000000000A20000-0x0000000000A46000-memory.dmp

memory/1656-5-0x0000000000A50000-0x0000000000A6E000-memory.dmp

memory/1656-6-0x0000000074900000-0x0000000074FEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

MD5 0a86fa27d09e26491dbbb4fe27f4b410
SHA1 63e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA256 2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512 fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

memory/1656-11-0x0000000074900000-0x0000000074FEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD960.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD992.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45ee46474cfe42202111f6f9ef4518ac
SHA1 e2a71f952f3dd6ae65ebc4af97c5146d873dca87
SHA256 7310496ced4308260dda57dda8f780c2b76935283e500572688507995d9e2355
SHA512 7ff523a627850eabce236803e6ce36694a0854d548333bb259dcf3a43e23a426fe4ceaf0285fa44874635928fe681362e002fec7275753208142bf6f31fc9471

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 379ed3684aa7f7288affca848dd35b7a
SHA1 3c887f3be704935cfdc4347fce8401d587cc35a3
SHA256 a15a6766c401fc37c47607278922f15ece425338711f3c8210c89842b3c5492a
SHA512 7e226760d5aedeacbdf2e4077e12c471a643104221987d088c5331f1eb3a5b43aceb9a4e17ffb1beb43614a6c93d01e40b633ec25d130895e8cef7da0ccd218c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f98696009cc75a2c0f66ff0ac88d020
SHA1 69fc8bf3bbcc1bab72433ccbb602617741320e63
SHA256 5f7951c8815e18174d8e88222371a42a30132ddad0ae685de7c82221f91df113
SHA512 ed8101d20538d4e5aa99c7526ff5047e2ff810ce15c57324f7c0062f6f6800500562fee7202ad7b902cc4f90d474090e87a864d91ae241312be7173e4f4cf390

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d30e08ad6af8f26f16507fe02bbd654b
SHA1 f2a66999fbf90e33b94671eeb8b12ed7d689e22e
SHA256 d4974212df2f6bdc777ff5776e19b959b956e512c778a9ef6e38ef0675309216
SHA512 cf4fdbe89440c88aa775c9bcaac0b46800f292fd538453f14e41e79f35f8259c688c0a48dc58617b31491cc9f0ef3f231f7feab33d26793168bc5b4090b84caf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a2402de310703a6aec1dc3a24a2f98c
SHA1 76e531a3aa0e4188a214b0df8c029adc0f7702a9
SHA256 cb2b41fcd6f3591169528b6981bc09ae8c91de19a99a918fc6d12df6ca07e050
SHA512 ee048efb7362a7d18196060eefd1926efa1e841e1945588caed555f9d29363035c35a779d228755fbf0432b800550b828970b6b2701d8e1a5a112d9d3cf5a6b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a80e89effb53fc77912863baac89dee
SHA1 bc8006948f7aa6245431fc9706e312f9767b70f2
SHA256 7c2c3c75be9eda47f3ee9ef60eba2557c5249aa4c5b6df04bb9ca4a4af6b1816
SHA512 170160afcb62fb7de2b4e58ec2bcac4ef23ecee7aab7e8fafdd3988a58f2145eb12d54006685c6774595377ce502321b4fdd9d4992ae0fef69e1ad369fbd40ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab3b5e019dab1d504b617de9b03029bc
SHA1 a58e4b0caaeba72f6216ab762078a82b0cee7b73
SHA256 f26d3e020440248f6bae6615ebf56ecd72d0613f0b31b62310c591d11bc1d5e0
SHA512 d3f24e3b1a249b3c597356b6cbd5d978e3b1d962fbb51c48fc7a65a08aaea455b02f53cdcac683347a5897fc0eaee261019b6f3138366fc6e2428592a8596c98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff3026b94314cb9c7b663fcc2476b814
SHA1 22e7b1a4930f0f5916133ab6d87fba649c61190d
SHA256 d15d33e3221deba403526c01067668e0f2c268cd0c67b03df98097992b7caeba
SHA512 0df924427100ff7799c7f9ed586086b4e5d5e9f6f2926fb48adfb09835229cc75f625042de59bec7a8e6557d87f0e8ecf421d929ab5f44e40481254426c8841f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ab1c77474ab1fb98d196593c481c5a3
SHA1 9cf33af880aa8703433cf70371aefad0207da4d3
SHA256 ea75f64111d68e2c57472a4d702571caf976a104f072a926dc1bad7d2a147fc2
SHA512 87c18f2971c9e53ac044d817abd41d8acf13cb20b28c6593015390ffa7a6ca61ffeab1766e94991e7f3fc6d4147b41f0a2ecc1f9570228858089f89b18d71968

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3d8654b74a904af122c38ab025dda5a
SHA1 e4dff7466e2163ea96a51db3f68203ead2554093
SHA256 59bccfcd7cdbc12b1a759677abcffaa0077cc93247f1719169a12442cdac0fd6
SHA512 607f71303376ea2bb69ee06a5a6ef7ef00ad6f7b3b4d7b6987653e8790a4ad7e98f75813a361ef428de3d2a0717a0b231e8135c463cead2922a6de29bc5dc5c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 18:58

Reported

2024-11-13 18:59

Platform

win10v2004-20241007-en

Max time kernel

45s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e7802eac-3305-4da0-9378-e55d1ed05518} = "\"C:\\ProgramData\\Package Cache\\{e7802eac-3305-4da0-9378-e55d1ed05518}\\VC_redist.x86.exe\" /burn.runonce" C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140_threads.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI683.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C2BB95AA-90F3-4891-81C1-A7E565BB836C} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{84E3E712-6343-484B-8B6C-9F145F019A70} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5804dd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC71.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e580504.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5804dd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5804ef.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF02.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5804ee.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5804ef.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vcredist.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.42.34433" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{84E3E712-6343-484B-8B6C-9F145F019A70}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\217E3E483436B484B8C6F941F510A907\VC_Runtime_Additional C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{84E3E712-6343-484B-8B6C-9F145F019A70}v14.42.34433\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA59BB2C3F091984181C7A5E56BB38C6\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\217E3E483436B484B8C6F941F510A907 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\PackageName = "vc_runtimeAdditional_x86.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA59BB2C3F091984181C7A5E56BB38C6 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\217E3E483436B484B8C6F941F510A907 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\Version = "237667969" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Version = "14.42.34433.0" C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Dependents\{e7802eac-3305-4da0-9378-e55d1ed05518} C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\217E3E483436B484B8C6F941F510A907\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34433" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{C2BB95AA-90F3-4891-81C1-A7E565BB836C}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.42.34433" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\PackageName = "vc_runtimeMinimum_x86.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{e7802eac-3305-4da0-9378-e55d1ed05518} C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA59BB2C3F091984181C7A5E56BB38C6\Provider C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\Version = "237667969" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C2BB95AA-90F3-4891-81C1-A7E565BB836C}v14.42.34433\\packages\\vcRuntimeMinimum_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{e7802eac-3305-4da0-9378-e55d1ed05518} C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34433" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\AA59BB2C3F091984181C7A5E56BB38C6 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{84E3E712-6343-484B-8B6C-9F145F019A70}v14.42.34433\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Dependents C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\PackageCode = "2A6913A281E36934992C8D584A14C6CB" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2356 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 2356 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
PID 3572 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 3572 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 3572 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
PID 1352 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp
PID 1352 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp
PID 1352 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\vcredist.tmp C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp
PID 3708 wrote to memory of 2684 N/A C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe
PID 3708 wrote to memory of 2684 N/A C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe
PID 3708 wrote to memory of 2684 N/A C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe
PID 2684 wrote to memory of 4572 N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2684 wrote to memory of 4572 N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2684 wrote to memory of 4572 N/A C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4572 wrote to memory of 3828 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4572 wrote to memory of 3828 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 4572 wrote to memory of 3828 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3828 wrote to memory of 5024 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3828 wrote to memory of 5024 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3828 wrote to memory of 5024 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart

C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart

C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp

"C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=692 -burn.filehandle.self=696 /q /norestart

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe

"C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A8FAFE9-2048-4AA6-BC7D-D6D91F103C54} {349907A8-497E-4A98-9CB0-E0247F4C065F} 3708

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1012 -burn.embedded BurnPipe.{D3388C1E-F793-42EC-A0C3-BE2521B056DD} {1B68CBD8-8786-44AA-A526-46BA0A3BBFE3} 2684

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1012 -burn.embedded BurnPipe.{D3388C1E-F793-42EC-A0C3-BE2521B056DD} {1B68CBD8-8786-44AA-A526-46BA0A3BBFE3} 2684

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4E339662-FF8B-45C4-B2B3-5A877E8331AC} {54DB1252-6682-4A51-A77D-F4B633365CDF} 3828

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 aka.ms udp
GB 2.23.205.167:443 aka.ms tcp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 199.232.210.172:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 167.205.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 clientsettings.roblox.com udp
GB 128.116.119.4:443 clientsettings.roblox.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 storage.googleapis.com udp
GB 20.26.156.215:443 github.com tcp
GB 142.250.179.251:443 storage.googleapis.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 4.119.116.128.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 251.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
GB 142.250.179.251:443 storage.googleapis.com tcp

Files

memory/2356-0-0x000000007488E000-0x000000007488F000-memory.dmp

memory/2356-1-0x0000000000B40000-0x00000000010AC000-memory.dmp

memory/2356-2-0x0000000006070000-0x0000000006614000-memory.dmp

memory/2356-3-0x0000000074880000-0x0000000075030000-memory.dmp

memory/2356-4-0x0000000005A20000-0x0000000005A66000-memory.dmp

memory/2356-5-0x0000000005B70000-0x0000000005C02000-memory.dmp

memory/2356-6-0x0000000005AD0000-0x0000000005AF6000-memory.dmp

memory/2356-7-0x0000000005B10000-0x0000000005B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

MD5 0a86fa27d09e26491dbbb4fe27f4b410
SHA1 63e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA256 2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512 fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

MD5 a02e8a8a790f0e0861e3b6b0dbe56062
SHA1 a3e65805e5c78641cafebc1052906d7350da9d2e
SHA256 7fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594
SHA512 108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42

memory/2356-14-0x000000007488E000-0x000000007488F000-memory.dmp

memory/3572-16-0x0000000074880000-0x0000000075030000-memory.dmp

memory/2356-15-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3572-17-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\log4.config

MD5 e4659ac08af3582a23f38bf6c562f841
SHA1 19cb4f014ba96285fa1798f008deabce632c7e76
SHA256 e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA512 5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

memory/3572-20-0x00000000066D0000-0x0000000006744000-memory.dmp

memory/3572-21-0x0000000006880000-0x000000000688A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

MD5 f18fa783f4d27e35e54e54417334bfb4
SHA1 94511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256 563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512 602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

memory/3572-23-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3572-24-0x000000000B520000-0x000000000B55A000-memory.dmp

memory/3572-25-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3572-26-0x000000000C250000-0x000000000C25A000-memory.dmp

memory/3572-27-0x000000000C3A0000-0x000000000C440000-memory.dmp

memory/3572-32-0x000000000DAD0000-0x000000000DB28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

MD5 1d917eaf5dcc8e06dd032c33f3a3d36a
SHA1 1eacb4eced22393fd5140910d30070f2e054e2fe
SHA256 787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f
SHA512 3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

memory/3572-34-0x000000000DC80000-0x000000000DD32000-memory.dmp

memory/3572-37-0x000000000DE80000-0x000000000DE9A000-memory.dmp

memory/3572-38-0x000000000DEB0000-0x000000000DEB8000-memory.dmp

memory/3572-36-0x000000000DD90000-0x000000000DE84000-memory.dmp

memory/3572-35-0x000000000DD60000-0x000000000DD82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

MD5 8a6f4f3282236325360a9ac4413b7bc3
SHA1 cb617803813e969be73f2e0e175a67620e53aa59
SHA256 dd1a8be03398367745a87a5e35bebdab00fdad080cf42af0c3f20802d08c25d4
SHA512 2c1facb8567a052b4fa65d173b0bda64fa5fded2cddb9073b7c28507ed95414c17d2839d06d5e961617c754cda54d6134964b1aff5c9e9cdfbace71f1de2ac3a

C:\Windows\Temp\{A5673C36-8CE1-4F9E-88AC-DA3B68673B73}\.cr\vcredist.tmp

MD5 f7aca1ef43beaa02107214482e6b51d6
SHA1 fb5cec36519b148119dec501cec92d894eb3b60a
SHA256 169b8f7025b301ffce5402c98c07f9e01bbadce52a2961175b777279f92624a7
SHA512 82cf5ebaa0a16e229b82e2dd550d7ab76409c89b4cfb7f163d1cce6d156db737ec5a09a3aa832b4076039665a6044aaeca3a6d311f8264492707ae281bbe7443

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.ba\wixstdba.dll

MD5 f68f43f809840328f4e993a54b0d5e62
SHA1 01da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256 e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512 a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/3572-101-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3572-102-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3572-103-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3572-104-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\vcRuntimeMinimum_x86

MD5 975e07089d93c2540f0e91da7e1e0142
SHA1 e65a155b9f88cabf6fc34111751051f8872f1dc2
SHA256 16547c99e9dc8602603beda79bb9099d06b2f0e06273660aaffd3193d82e8bf5
SHA512 047ca9eaf996b5b89cedf0f9e9d7544cb8700bba02e10aa90fbd283fdebb2e1ec98295569f145e0dc9bbf3dbd44f64e4d02429cbcdff7e149f2804c135ee2595

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\cab54A5CABBE7274D8A22EB58060AAB7623

MD5 a04f3e3bd8684cf660619e0f6af4d751
SHA1 2b5b1a39de1faa20d9a5774ec7b27dee5f6fc065
SHA256 b31b87a09f3aa2df573050949e87a68eeda01cb80dc974714d0603cea2c0708b
SHA512 fb3c081ad9f23661ed6f167ca878469d702f5cb60c15bb6d04c21331b43f8b88d98a680ad74ff5855e4c286260452be9e25b49b5b245d14fa30297cc8add5828

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\cabB3E1576D1FEFBB979E13B1A5379E0B16

MD5 654f67c3c99d57a0008427141bd1cfc6
SHA1 60887d57c8910a5034379ddc7a0ad5e2c2bfcde6
SHA256 d87d9b997b91f9e375bf3cf994b67882ce21c0fbd4d0c4611dd6f593d4a8f3be
SHA512 0f3182a9c923a51f9ffed2e8639f9bcb72ace859c6253aa860a95c2c67c6b9d80d7945042460a7f73e357614b149c9d906c101f800724825279f07902571a064

C:\Windows\Temp\{FC8745A0-4A6B-4962-BBF3-207B1E941C3B}\vcRuntimeAdditional_x86

MD5 95715c58dd2864b361dbd9e651b2f5ad
SHA1 c8b19282b7950e7b8e106b5bbccad4fc7b3aa661
SHA256 a6447de0d0d5b56b50988ae350432d68e9d83fbb566e2fcaa3f758a2b2574fea
SHA512 10eb258d1c1ab690e03fd782316133305530a7a50769263176765862a754dcf5ec258ca5805d2be447a53b29b3557b519a6cec812208d88982201c86ea8d5fb3

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241113185840_000_vcRuntimeMinimum_x86.log

MD5 9a1dc6daa8c48aa9e8685d0606a4670b
SHA1 c4b018bf0b67df434c9f19ff354f367223129d1c
SHA256 620c8e665241626f8e718d07ef7aa387d6d3ea2e5be09cc8cd277701b2befaf0
SHA512 519cc0425a6b81a638321327123ca483bede7f30d300082e75ca0fb8208e8dd7fc6cee996fba73d02b4242ffcf2b7034893b141ccce16dc8ed40ffc62c1bce76

C:\Config.Msi\e5804e2.rbs

MD5 eba91d1051392eed50ea8615e38f7bce
SHA1 02d8ba8d82570da3efe5411a662665358096194d
SHA256 7f13905ae608dd776c23848162c17d54e6a3685791c6586d466b831cab61540f
SHA512 254f73e49478411cac8731b572813f94e26d4589ac911d9d1357c6f93c9c2b99d65b3effb2a74bb076d85bbc43a292212722af0aa8ff40c7ff84f7b7baf29d36

C:\Config.Msi\e5804e7.rbs

MD5 ed1d2c88ce86a3b69ffc753b44f022dc
SHA1 e863f5ec37b050e5f4c2c3e95ef4b852cb9e3dd7
SHA256 012e2c927264d01f4bb94efb3ea6a9da2061a606316a274c8c75f395d1ff25af
SHA512 23bea0657da6b20c55ef5b6ffec9315e11517c4c875306e5789dfb2c72bdd0379ae6aff3e54c3c6b3702f10ba32730cf8057c139c8d163a7831f1a7868893720

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20241113185840_001_vcRuntimeAdditional_x86.log

MD5 e0ae1f45f01225700de95f9a7c349ad8
SHA1 bc16f0659a66544a11e4b263536255e24eb00696
SHA256 7e6f5778b44e0eecdbf43ab456a4eed69ef268c77ec49770127d77d68469ba0a
SHA512 f0104a6df2ab25ef124cc4892ddf796366426f109710d23008404d35051f7a73a0a1d773ce60b91f35cd7f7de4dde2126da636116e45354423a3209e28c541de

C:\Config.Msi\e5804f4.rbs

MD5 18a8b5870e62bcf29feca977815fd4d3
SHA1 ca053a915824dfcc6f6b4f701288b903217c3321
SHA256 26591603742a2685916f64030b9396756d212b77ddadb518c4f314665824a845
SHA512 8dbd5b51435a23eb582fb5dbbd7d17744ac36715ce47d76195565a77dc98d6f781a09bf9d0814f01b608c05d3b07a88b06cd1d1346e163a144079cc0e7c6e4b5

C:\Config.Msi\e580503.rbs

MD5 6ad131228617e5361dd62da1883ef5a9
SHA1 0f062d17e4f18ed38eaf1301087047215afc4c3d
SHA256 c209bec3a939643a9848a0d9c42941b6efbb1bd971454b0f31b69c0fb67b67b5
SHA512 f295cf10dfdf136927cb9592da872c2dbb1485aedfd0f5005d00b585a5c6506f02868c451a7fb4ff944f0d6c2cba273cc0ba636b3736d338da3efcfc811b9ca4

memory/3572-196-0x0000000005290000-0x000000000529A000-memory.dmp

memory/3572-197-0x000000000C920000-0x000000000C932000-memory.dmp

C:\Windows\Temp\{90783B29-B416-4509-8278-0773C0ACF7C3}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/5024-260-0x0000000000D70000-0x0000000000DE7000-memory.dmp

memory/3828-297-0x0000000000D70000-0x0000000000DE7000-memory.dmp

memory/4572-298-0x0000000000D70000-0x0000000000DE7000-memory.dmp