be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

Analysis

max time kernel
144s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Account Manager.exe
Size

5.4MB
MD5

334728f32a1144c893fdffc579a7709b
SHA1

97d2eb634d45841c1453749acb911ce1303196c0
SHA256

be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
SHA512

5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
SSDEEP

98304:42bT1Qm7d9G4/Ml61KO9bjRxMLywnrmYa0kqXf0FJ7WLhrBzcgPgL6b:/Qm59RMowO9bjRmmYiYa0kSIJ7zgPE

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
25	3704	Roblox Account Manager.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Roblox Account Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vcredist.tmp

Executes dropped EXE 3 IoCs

pid	Process
2520	vcredist.tmp
1468	vcredist.tmp
1004	VC_redist.x86.exe

Loads dropped DLL 3 IoCs

pid	Process
1468	vcredist.tmp
3704	Roblox Account Manager.exe
1212	VC_redist.x86.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ba10fda9-f731-441f-a999-000bbb7ceec2} = "\"C:\\ProgramData\\Package Cache\\{ba10fda9-f731-441f-a999-000bbb7ceec2}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in System32 directory 49 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f55c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f56e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A5592FEF-F948-4BA6-A066-8BBFC2DC7EE1}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57f56d.msi	msiexec.exe
File created	C:\Windows\Installer\e57f56e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1375.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1684.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5D0C4511-3CA1-4FF8-A4BA-C0E1957ABEEA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f55c.msi	msiexec.exe
File created	C:\Windows\Installer\e57f583.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002a49892b502c64420000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002a49892b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002a49892b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2a49892b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002a49892b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{A5592FEF-F948-4BA6-A066-8BBFC2DC7EE1}v14.42.34438\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34438"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34438"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\Version = "237667974"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34438"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\FEF2955A849F6AB40A66B8FB2CCDE71E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\ = "{ba10fda9-f731-441f-a999-000bbb7ceec2}"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Dependents	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\1154C0D51AC38FF44AAB0C1E59A7EBAE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FEF2955A849F6AB40A66B8FB2CCDE71E\VC_Runtime_Additional	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{ba10fda9-f731-441f-a999-000bbb7ceec2}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FEF2955A849F6AB40A66B8FB2CCDE71E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{5D0C4511-3CA1-4FF8-A4BA-C0E1957ABEEA}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1154C0D51AC38FF44AAB0C1E59A7EBAE	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{A5592FEF-F948-4BA6-A066-8BBFC2DC7EE1}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{5D0C4511-3CA1-4FF8-A4BA-C0E1957ABEEA}v14.42.34438\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.42.34438"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34438"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\PackageCode = "350710E12BD1D544E8200A72EBB9B377"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\SourceList\PackageName = "vc_runtimeMinimum_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Version = "14.42.34438.0"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle\Dependents\{ba10fda9-f731-441f-a999-000bbb7ceec2}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEF2955A849F6AB40A66B8FB2CCDE71E\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.42.34438"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1154C0D51AC38FF44AAB0C1E59A7EBAE\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1154C0D51AC38FF44AAB0C1E59A7EBAE\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{ba10fda9-f731-441f-a999-000bbb7ceec2}	VC_redist.x86.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
1004	VC_redist.x86.exe
1004	VC_redist.x86.exe
1004	VC_redist.x86.exe
1004	VC_redist.x86.exe
1004	VC_redist.x86.exe
1004	VC_redist.x86.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe
2580	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3704	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	Roblox Account Manager.exe
Token: SeBackupPrivilege	1568	vssvc.exe
Token: SeRestorePrivilege	1568	vssvc.exe
Token: SeAuditPrivilege	1568	vssvc.exe
Token: SeShutdownPrivilege	1004	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	1004	VC_redist.x86.exe
Token: SeSecurityPrivilege	2580	msiexec.exe
Token: SeCreateTokenPrivilege	1004	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	1004	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	1004	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	1004	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	1004	VC_redist.x86.exe
Token: SeTcbPrivilege	1004	VC_redist.x86.exe
Token: SeSecurityPrivilege	1004	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	1004	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	1004	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	1004	VC_redist.x86.exe
Token: SeSystemtimePrivilege	1004	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	1004	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	1004	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	1004	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	1004	VC_redist.x86.exe
Token: SeBackupPrivilege	1004	VC_redist.x86.exe
Token: SeRestorePrivilege	1004	VC_redist.x86.exe
Token: SeShutdownPrivilege	1004	VC_redist.x86.exe
Token: SeDebugPrivilege	1004	VC_redist.x86.exe
Token: SeAuditPrivilege	1004	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	1004	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	1004	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	1004	VC_redist.x86.exe
Token: SeUndockPrivilege	1004	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	1004	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	1004	VC_redist.x86.exe
Token: SeManageVolumePrivilege	1004	VC_redist.x86.exe
Token: SeImpersonatePrivilege	1004	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	1004	VC_redist.x86.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3704	Roblox Account Manager.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 3704	3988	Roblox Account Manager.exe	89
PID 3988 wrote to memory of 3704	3988	Roblox Account Manager.exe	89
PID 3988 wrote to memory of 3704	3988	Roblox Account Manager.exe	89
PID 3704 wrote to memory of 2520	3704	Roblox Account Manager.exe	90
PID 3704 wrote to memory of 2520	3704	Roblox Account Manager.exe	90
PID 3704 wrote to memory of 2520	3704	Roblox Account Manager.exe	90
PID 2520 wrote to memory of 1468	2520	vcredist.tmp	91
PID 2520 wrote to memory of 1468	2520	vcredist.tmp	91
PID 2520 wrote to memory of 1468	2520	vcredist.tmp	91
PID 1468 wrote to memory of 1004	1468	vcredist.tmp	92
PID 1468 wrote to memory of 1004	1468	vcredist.tmp	92
PID 1468 wrote to memory of 1004	1468	vcredist.tmp	92
PID 1004 wrote to memory of 3824	1004	VC_redist.x86.exe	109
PID 1004 wrote to memory of 3824	1004	VC_redist.x86.exe	109
PID 1004 wrote to memory of 3824	1004	VC_redist.x86.exe	109
PID 3824 wrote to memory of 1212	3824	VC_redist.x86.exe	110
PID 3824 wrote to memory of 1212	3824	VC_redist.x86.exe	110
PID 3824 wrote to memory of 1212	3824	VC_redist.x86.exe	110
PID 1212 wrote to memory of 3160	1212	VC_redist.x86.exe	112
PID 1212 wrote to memory of 3160	1212	VC_redist.x86.exe	112
PID 1212 wrote to memory of 3160	1212	VC_redist.x86.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - Downloads MZ/PE file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\vcredist.tmp
    "C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\Temp\{98C0B51B-D466-49E3-803D-2532D2D7672C}\.cr\vcredist.tmp
      "C:\Windows\Temp\{98C0B51B-D466-49E3-803D-2532D2D7672C}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=668 -burn.filehandle.self=696 /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{78799138-1697-434C-8ABE-18BB53306A0F} {5D524863-74BB-4CAD-9937-ADF52091358B} 1468
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={ba10fda9-f731-441f-a999-000bbb7ceec2} -burn.filehandle.self=1056 -burn.embedded BurnPipe.{5DEBBE1E-D5F8-42DB-813A-B09D4FFFBE1D} {2854E0D2-EFF2-4AA7-833D-50017D6237EB} 1004
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={ba10fda9-f731-441f-a999-000bbb7ceec2} -burn.filehandle.self=1056 -burn.embedded BurnPipe.{5DEBBE1E-D5F8-42DB-813A-B09D4FFFBE1D} {2854E0D2-EFF2-4AA7-833D-50017D6237EB} 1004
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{BAB36ACF-CEF6-42A0-B742-B7BB2140A1A2} {D107A6F9-4ECB-442F-B2CA-4D976DF4D6BE} 1212
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f561.rbs

Filesize
16KB

MD5
5f198d28f63f7b8f0b211477502fb00d

SHA1
ab0e870ede18c387c5202a4cac37cb756b332369

SHA256
92c2ef8449bef8a62bf71fe9328caae40691fac18914805e471c2521a91d3f88

SHA512
51dc1198a6db86cb614d0f8b76769eaeb7297caa76201e8266f769d9d1fd3c781a65a8c4c34dc144cff537a9d14dc53733ad54c6269fd6da57fc6087b3261bc0

Download Submit
C:\Config.Msi\e57f566.rbs

Filesize
18KB

MD5
ec63c465810fbe4793358dc08844b84e

SHA1
443e4a3b2b84fa8020e831fd0be17a8f2032fc20

SHA256
a94f497e630d09dd4ab8ae31abbedbafd584b1206d550e9854c83962a9681632

SHA512
a1ce8aa519ea3b472ff87aeea49413289d042d65df46ea9cbfe9c80a272742f2ecdd3db46ff15ab7bfb9c21bcb290dfcecf77518f000f08d9ab70962d4f24547

Download Submit
C:\Config.Msi\e57f573.rbs

Filesize
20KB

MD5
15113636d1dd4c9bab2fda74e0cc2b6f

SHA1
6a084bb17132f62495f8e67227994b4b79bdb3ef

SHA256
86166f00f7039aaa9de00049ed46846d7de4d670552eeab4a8e161d799425ba9

SHA512
93c09e7a3b0761face172e89ecefd99c09c8a5367b116571108de17e3afa9c2f04aa42848e4fd045f9964496bb6fb4ef9b44dc69379948f2386cf6a8324772ce

Download Submit
C:\Config.Msi\e57f582.rbs

Filesize
19KB

MD5
a9cd434ee6c789f7d95b41be577ba2b2

SHA1
0b8a257eb6fefd40c2ccf7ecf6575c8c7a6807ee

SHA256
f487f5f9bce5ef64efebcc8941745cd2629d8e4c1383dc53e93d4a45d2260f89

SHA512
5851557715ebafdb7384a629ad379022941fa75591069c89348e7cc698a0f39b05e13eed91e4ac4ec1bc5f39ea5d8a184e324c89d21842b07e0e2dc71d5b1dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

Filesize
1KB

MD5
a02e8a8a790f0e0861e3b6b0dbe56062

SHA1
a3e65805e5c78641cafebc1052906d7350da9d2e

SHA256
7fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594

SHA512
108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1014B

MD5
1d917eaf5dcc8e06dd032c33f3a3d36a

SHA1
1eacb4eced22393fd5140910d30070f2e054e2fe

SHA256
787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f

SHA512
3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
0a86fa27d09e26491dbbb4fe27f4b410

SHA1
63e4b5afb8bdb67fc1d6f8dddeb40be20939289e

SHA256
2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d

SHA512
fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20250321080735_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
ea2da8d303779940bcda224b5eebc2b8

SHA1
538c2fab0a1040e12e3933825658fcb770dca888

SHA256
0b98a441e135d0563e32a00561832237065dc9bf7f3a7d9319da4d404a199bb8

SHA512
7013806469e76c16b3bcd7f9449e5484fc19319201663c74450e7c44f1d0ce26464bf6539cdb1b0205b5e2985bea66e843ff63308b9166cce178eba1f688ee5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20250321080735_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
1a0b095f47774e6218c362e3cbdd8e8f

SHA1
4906d5a7b23a5f8252bddbe6db2abe85d0706707

SHA256
38848fb9e2000bca84eb10fab6dea6d59cdf8cdd4d963de76f363fa2419e40d2

SHA512
8e18c8e4258c7146ba6c8082a61f7c9eacaef58105eabeefef1390ec70273087b3aa2d180b0247107dce01351f52cd88dead6bcf58dd9ca51fc47d4eae8e73c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libsodium.dll

Filesize
477KB

MD5
4f6426e3626d5d46fb19c13043cb84de

SHA1
9dfa32f957c19c843a568b57d555d6d5cbc61579

SHA256
7a960129f6d3f8d44b4c6be27f587c29aa8bafb9c4d3c85bb84a5f5d8fa6e2ba

SHA512
7a83adf2b36973ceb52bfc95591bc91d4ac778a4e11d11723f6d8bf208811b8fa7d072851cfed73407c9413455de717e9a42f8e6bb1a133cb2b1981c66bb5832

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp

Filesize
13.3MB

MD5
3ca2b599c42442b57aeb07229d731d71

SHA1
05194f6080b1df46f022bb6243d89b25d8640161

SHA256
c4e3992f3883005881cf3937f9e33f1c7d792ac1c860ea9c52d8f120a16a7eb1

SHA512
32cc452ba3e0eaa66cb1fef379f5f15fbd5d3d632dd7ef5a7259a641eb77b62096cb665faa3737a7a57798ca7aef4a9d859bd21d5fe036e1d7d2871834e0349b

Download Submit
C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
841KB

MD5
e65f39dbc108a187a444a9b2a5e84a86

SHA1
75b3f86b1d064e10a66d2572133012f0baecdb0d

SHA256
2cb3a1b4f9a4baaf43f4ecc2fb80235c21591519b3e9f4a541a3d635998cdacf

SHA512
6e3aa41c02eb5c0b8e395154abc919a3c2e55466e9958cd428639498d2d3feac6ba16f4643e4e4a0daa0c88bc4a775846420841f4121de93fb0001233e4148ee

Download Submit
C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
ccc09e9838800232f4b0a78881d261ec

SHA1
fc1191652ace6ffc210fa768572fdf3369472358

SHA256
6581882e1855424594ea007bc25c00ed9efa8da59914f30cd6b0a1a6de8be804

SHA512
1413beddcc76faa847db0cd54f5cba187f2af4c4353f42df066890bd7539fa545cf7eb31a2c1bc955046b5dcb20c14f6d6f0bf17b851e448a64bb36091af07d6

Download Submit
C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\vcRuntimeAdditional_x86

Filesize
200KB

MD5
0dc080b360efc4ddfcb304c91b4d720e

SHA1
fc040fc1385bed606766c6143ac6717c2011693a

SHA256
957492cd0e106d7296b1f2eb9642d34300d11fbce603866f3d5762c2e08f33c3

SHA512
951ee949b7fa914ef169ac102586ff12d31e0b0cc0131024570dac10012b6e5561ce322b1a06921f619ece6d2fe0cc035efab0763e0283177d0162c40903dcf9

Download Submit
C:\Windows\Temp\{20A86080-28D2-47B8-9B54-D2A59EDDC8CF}\vcRuntimeMinimum_x86

Filesize
200KB

MD5
e71252db352456772c9fcbc9e698aaae

SHA1
f855dd275a133044a95cc19cffa73faafeba16cb

SHA256
a8fd1435b086e6d2d7cce233a5bdd899ef6ac76be755883c55df134c5aba1a2d

SHA512
4250635a2a0cf5c55ee4d26dc7c5dda0633828b68b5bd5ad17cecdbe5211ff5e051968ccc0357b21025d127eca81b7976966717d687652d67a22b780bd397cb0

Download Submit
C:\Windows\Temp\{98C0B51B-D466-49E3-803D-2532D2D7672C}\.cr\vcredist.tmp

Filesize
669KB

MD5
b39d9459c56144a8a8d71bb27f198535

SHA1
5770485f780976f49a0b099e223b4521c43ab99b

SHA256
0bf10b50928e59c4cd9380a87d9aa89e61c4a1494567f99d914effe240b0dbad

SHA512
e04ceed20d19f2a4164cb73d5c06d48089effcdb9d92f492efa7dff827d610d4dc7c4a01ebe2ffac2837686064e5b602ae1bbd30371d1d9282959a7a3ca0ba1f

Download Submit
C:\Windows\Temp\{C78FCE20-AEDB-4EB2-8F7C-C0AA0DCC85D2}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/1212-486-0x0000000000710000-0x0000000000787000-memory.dmp

Filesize
476KB

Download
memory/3160-449-0x0000000000710000-0x0000000000787000-memory.dmp

Filesize
476KB

Download
memory/3704-19-0x00000000069C0000-0x0000000006A34000-memory.dmp

Filesize
464KB

Download
memory/3704-109-0x000000000FC00000-0x000000000FC12000-memory.dmp

Filesize
72KB

Download
memory/3704-25-0x000000000BB40000-0x000000000BB4A000-memory.dmp

Filesize
40KB

Download
memory/3704-90-0x00000000055A0000-0x00000000055F8000-memory.dmp

Filesize
352KB

Download
memory/3704-24-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-95-0x00000000077A0000-0x0000000007852000-memory.dmp

Filesize
712KB

Download
memory/3704-96-0x0000000007990000-0x00000000079B2000-memory.dmp

Filesize
136KB

Download
memory/3704-97-0x00000000079C0000-0x0000000007AB4000-memory.dmp

Filesize
976KB

Download
memory/3704-98-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/3704-99-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

Filesize
32KB

Download
memory/3704-100-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-101-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-102-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-103-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-104-0x000000000D400000-0x000000000D414000-memory.dmp

Filesize
80KB

Download
memory/3704-106-0x000000000D570000-0x000000000D578000-memory.dmp

Filesize
32KB

Download
memory/3704-105-0x000000000FC30000-0x000000000FC80000-memory.dmp

Filesize
320KB

Download
memory/3704-26-0x000000000BEB0000-0x000000000BF50000-memory.dmp

Filesize
640KB

Download
memory/3704-108-0x000000000EB50000-0x000000000EB5A000-memory.dmp

Filesize
40KB

Download
memory/3704-23-0x000000000B020000-0x000000000B05A000-memory.dmp

Filesize
232KB

Download
memory/3704-22-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-20-0x0000000006B80000-0x0000000006B8A000-memory.dmp

Filesize
40KB

Download
memory/3704-444-0x000000006D920000-0x000000006D935000-memory.dmp

Filesize
84KB

Download
memory/3704-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-14-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3704-297-0x0000000010010000-0x0000000010364000-memory.dmp

Filesize
3.3MB

Download
memory/3824-487-0x0000000000710000-0x0000000000787000-memory.dmp

Filesize
476KB

Download
memory/3988-15-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3988-7-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/3988-6-0x0000000005D30000-0x0000000005D56000-memory.dmp

Filesize
152KB

Download
memory/3988-5-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/3988-4-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3988-3-0x0000000005CC0000-0x0000000005D06000-memory.dmp

Filesize
280KB

Download
memory/3988-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/3988-2-0x0000000006340000-0x00000000068E4000-memory.dmp

Filesize
5.6MB

Download
memory/3988-1-0x0000000000DC0000-0x000000000132C000-memory.dmp

Filesize
5.4MB

Download