b63dcb669681f2aca1445de004059626f38776990ebb2be70eeb5fc785e8a3b2

Analysis

max time kernel
50s
max time network
66s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-01-2025 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DXCap.exe
Size

180KB
MD5

71eeef715519994f2663e3000e161f75
SHA1

b55b131ab2add764dd99c632e561c5e4034bd8cf
SHA256

b63dcb669681f2aca1445de004059626f38776990ebb2be70eeb5fc785e8a3b2
SHA512

2ac8611bd883bb6309fe474610b68d2eb4634ddc751df22d96076577b30709b93f9d582e4faedbddbb16da0e71258feadeb88a054cd6c26d20477ea08013037f
SSDEEP

3072:lgYxxc8b+ckkz5d45BOVPGMhHuKA59jIBb35O1aY:FG8b+1K08r3SN

Score

8^/10

microsoft defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe

Executes dropped EXE 3 IoCs

pid	Process
2428	VC_redist.x64.exe
1844	VC_redist.x64.exe
5116	VC_redist.x64.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	VC_redist.x64.exe
2400	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{804e7d66-ccc2-4c12-84ba-476da31d103d} = "\"C:\\ProgramData\\Package Cache\\{804e7d66-ccc2-4c12-84ba-476da31d103d}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e584e98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5252.tmp	msiexec.exe
File created	C:\Windows\Installer\e584eab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54E3.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50DA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}	msiexec.exe
File created	C:\Windows\Installer\e584eaa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584eab.msi	msiexec.exe
File created	C:\Windows\Installer\e584ec0.msi	msiexec.exe
File created	C:\Windows\Installer\e584e98.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI565B.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Version = "237667969"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\PackageCode = "C029B57ADC55135439F2BCC435C9148F"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\ = "{804e7d66-ccc2-4c12-84ba-476da31d103d}"	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{382F1166-A409-4C5B-9B1E-85ED538B8291}v14.42.34433\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34433"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{E1902FC6-C423-4719-AB8A-AC7B2694B367}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\PackageCode = "C115E40EF1D73624BAA68F6193F24D7D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{382F1166-A409-4C5B-9B1E-85ED538B8291}v14.42.34433\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{382F1166-A409-4C5B-9B1E-85ED538B8291}"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe
1732	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe
Token: SeShutdownPrivilege	5116	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	5116	VC_redist.x64.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeCreateTokenPrivilege	5116	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	5116	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	5116	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	5116	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	5116	VC_redist.x64.exe
Token: SeTcbPrivilege	5116	VC_redist.x64.exe
Token: SeSecurityPrivilege	5116	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	5116	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	5116	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	5116	VC_redist.x64.exe
Token: SeSystemtimePrivilege	5116	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	5116	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	5116	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	5116	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	5116	VC_redist.x64.exe
Token: SeBackupPrivilege	5116	VC_redist.x64.exe
Token: SeRestorePrivilege	5116	VC_redist.x64.exe
Token: SeShutdownPrivilege	5116	VC_redist.x64.exe
Token: SeDebugPrivilege	5116	VC_redist.x64.exe
Token: SeAuditPrivilege	5116	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	5116	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	5116	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	5116	VC_redist.x64.exe
Token: SeUndockPrivilege	5116	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	5116	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	5116	VC_redist.x64.exe
Token: SeManageVolumePrivilege	5116	VC_redist.x64.exe
Token: SeImpersonatePrivilege	5116	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	5116	VC_redist.x64.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
1844	VC_redist.x64.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 2136 wrote to memory of 4792	2136	firefox.exe	87
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 1872	4792	firefox.exe	88
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89
PID 4792 wrote to memory of 3612	4792	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DXCap.exe
"C:\Users\Admin\AppData\Local\Temp\DXCap.exe"
1⤵
PID:1844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\DXCap.exe
"C:\Users\Admin\AppData\Local\Temp\DXCap.exe"
1⤵
PID:4272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1864 -prefsLen 26921 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ba8fc59-1bc5-43fd-bcc0-ae28da38fb98} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" gpu
    3⤵
    PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 26799 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cfac4ec-6f3e-46d7-92b4-4b32a5bc4340} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" socket
    3⤵
    PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3116 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {588361fe-92fe-43bb-a566-83b1ec4aed67} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 32173 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa0309f1-69a6-4128-a3f8-f98784e90bec} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 3008 -prefsLen 32173 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b40cfc6-1f80-4e2e-89c6-a982c5815638} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" utility
    3⤵
    - Checks processor information in registry
    PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a6561e-567e-429b-9287-fffec0f6497a} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:1472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c42d220c-beec-418e-9eb8-692b9c601d1c} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96137267-384d-4f28-a129-311ae3c40dc1} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:1372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6276 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349e42f8-896f-4d1d-b787-3816ef97ddc9} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:4212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6512 -childID 7 -isForBrowser -prefsHandle 6528 -prefMapHandle 6524 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fc8a7dc-deb6-41cc-95b9-33d8a30fd990} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:4760
- - C:\Users\Admin\Downloads\VC_redist.x64.exe
    "C:\Users\Admin\Downloads\VC_redist.x64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2428
  - - C:\Windows\Temp\{3EB23C26-EF10-47E8-B5FF-90744CEE3FB5}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{3EB23C26-EF10-47E8-B5FF-90744CEE3FB5}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=720
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:1844
    - - C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{BED67CCB-B8FB-4036-8C34-0FAB7CFC0CEB} {240DFDEB-DBF7-40EA-9DF4-934E6815BB72} 1844
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1032 -burn.embedded BurnPipe.{0498F098-5A5E-47D4-BA8C-300634D1FE33} {17A9E53E-1BC8-4B9F-8D71-0CFD8F23CB93} 5116
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1032 -burn.embedded BurnPipe.{0498F098-5A5E-47D4-BA8C-300634D1FE33} {17A9E53E-1BC8-4B9F-8D71-0CFD8F23CB93} 5116
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{C05D9EEA-D196-4288-B2BC-348C42455CEB} {2A5A95C4-2D14-4094-AA7F-B9C1A2EACF9F} 2400
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\DXCap.exe
"C:\Users\Admin\AppData\Local\Temp\DXCap.exe"
1⤵
PID:5168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584e9d.rbs

Filesize
19KB

MD5
85714064332fb0d585fa32bcc000258b

SHA1
4645d72e19a0f326a367aed06b26b2d935dd6e52

SHA256
b69637207d26d56b701fdb3979b0239e638caec6de2177bcd5f1f386fb18a05d

SHA512
53830745da81cf1ef61e97fcaf81970fa54b073dc57449bdab3a79c10157100b434a7f4805ae2bf5296691bf32dba5d07c62e6dff357424b92e253d702ab4204

Download Submit
C:\Config.Msi\e584ea9.rbs

Filesize
19KB

MD5
92c83443854e3f3128a844374d035907

SHA1
5ce0fb28ffe0f9fb1d0298c8561960a63266ab2c

SHA256
b7e8f24767e64b03c79bda91b636eecad81a7ffab4e0e2a72e06bc7c03243fa9

SHA512
cb1f085fa9ef78a6ae3ea2dc6232cea4e190371ffa590de1dff107128ee7e5f909e081670c1c23f4cd7ce44c2443405914f5097c8c3f6cf28ab942d99c83cf3f

Download Submit
C:\Config.Msi\e584eb0.rbs

Filesize
21KB

MD5
30685a4e5dbba33876de5e3066612f9d

SHA1
dd6b3a18b46e3891bf99ddafdec493537306374a

SHA256
159a824c204b7093b72cfdf9aac54ec0c45c5434560fcea2d740c0193e393fd5

SHA512
ec90b3b52a278d8d0218826310ed3cc3d0a9eea60c8e79db453d16162ae404b91125ee71328bc78df92cb71dfb46576ce7b841d7680dc35f4829d33d13d6d3a3

Download Submit
C:\Config.Msi\e584ebf.rbs

Filesize
21KB

MD5
dec37cd6c975796f016e39640a2894f6

SHA1
e4320ca600a1a8b26de949d7c7627a4783597f00

SHA256
54803e3a5bcb451c50c23f2901a79428b518c1cca7bb9f1f0bf2e8e963bf5ba7

SHA512
00bd6e61e05aceee4a31a68fe308a9b420928f3203c4f7980f656b70945706b3e6d3d7a2d0ba8343e5e4e075ef026b07bb66c71dcee641c7cd3d893b66a8780d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1g11cwvb.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
5f90a9bd2a71fb48e7cd6adc587eed98

SHA1
f0af52f942df6b9e6a934014f265defb49b2118a

SHA256
9ff57d7b4a9191c26a99d9ec40b7bd1f69051504edfe5875b6d544efbf7f9240

SHA512
90f246089516aa298e5a5dee3cc49d1a51af250a134e4f790aacd70b9475d92d08bf06653befbf9c22f6ca84281fbb6d9f1f266a7a896684f2156e8285b970a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1g11cwvb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
48eab830385f91d695a92c6f65df3ded

SHA1
77f6216c5e496d9f05f7b508c77430dc230106c7

SHA256
01da0fa5eeb697bcb4ffc591a9a48b87812e2575e9b8cab076f18b21094d1308

SHA512
0315cc848418b400872fd03fd3c8ecdaf2ee2dae6e86f56003a0d6b21ee8c31c0f3556a1610eaffd62282f07567ffd792277195d0baa41f586ae35b145610f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20250114040820_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
46f304a610261fc6020989fd2225b183

SHA1
84386ebd8cf3cad994593d736ee7690d9625292f

SHA256
bdc94f64bb4156508c69e3b7253dd4d17c439ae3caf90a7ad97f5eb3cf5a6ec4

SHA512
03d444727538b41af39faf3406d6f9a36677c6f62488d5211e35fa370f9cd06ce1a358e63f4f7a409b1913bf671f334e87f4def9d133974cb0a2228860299cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20250114040820_001_vcRuntimeAdditional_x64.log

Filesize
3KB

MD5
58a228cad00b1e94198fc4f37faffb6e

SHA1
d1a2dd91f9137e860894977059d692929a10ef6b

SHA256
2e503ed4b39de43220b20086494404f03ff01a224f176a13ec9e138d9a3bb03a

SHA512
67dbd1a46c1acbb334a6d9bfb3501adb678b063506076da88fca66545427c87909897b4ba0ddc9fd76e332ed35d00b635942c3aa5afff7c7e495188cda9b2f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\AlternateServices.bin

Filesize
8KB

MD5
075ccf62eee5a96d787248e615dd7242

SHA1
c8057da95246f0152fdcef9a5fd8c07d44217903

SHA256
6ecc5690f2d8f7d407f9ff7c08db384498d74ec0bb25a38bccce02984ec991f7

SHA512
65eecc50e80a7d96e06c353935bce0509bb0b3b0b37175adea1b17828f83cc357379b20b15d5600bdb94d6fd6dc0fe8d8c545207ee9470ee8dc710cbb53a4773

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1db24085bab7fb3d6b7f21e7491cf3e9

SHA1
bf6cffc20251a1449a47c8d41e1be0fa12e03164

SHA256
bb9edcdd9bcde6667acad3d9fc01e0a4d98c2fbc7dc378d3618a50fd1c67a22d

SHA512
b20f489ecac78ef3a6f22578cc3b72d8b51ed9433f13f80a68f8c32a4ec80ca8d652ae85f7a42af7bf158cf0bae0a4008f14d0401330c22f5c19281b9eee3ef3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\datareporting\glean\pending_pings\0655c4e0-0eed-41fe-a14d-6f6e45be4071

Filesize
25KB

MD5
5f4dbb160fcdfbf2b01d253bf60b8a35

SHA1
aa7e9f16f822ea68ba6b76b82c88389debd811fa

SHA256
4cbaf31aff705f80b3f5c91ceed0907b16768996df8240fb42b20e8e77c0f367

SHA512
1709a5629fecb024eb3cc6bdbc92be48d11810f45b85318b15b2b1e259c1f02ead07aa3486fd8ff43b54912a133690c6fbcd27c3262b8eb942606c112fb24b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\datareporting\glean\pending_pings\12c87c9f-f148-471c-a510-abef5b32be23

Filesize
671B

MD5
2849683cde922621bad01a6d72046124

SHA1
d22f5ce9d292923270125ad2152ad20f6a8689ab

SHA256
6aef06043a5b2de088ff87ed05a06876b4cfdd60bd29170a8866d852b767d8d8

SHA512
375b507a77d52ca6f4a981f2464945e7afc1d8fb0a002431aafed6ae04617be41568b61c03d9f74c0518f9f2c97e4a99edaf18bb14bcf5f725899f838ad2e195

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\datareporting\glean\pending_pings\af0dd05a-86ff-4713-819e-e8668471f2af

Filesize
982B

MD5
a65971148b97155f199f7bfdded9e91d

SHA1
6abde3d9cb6806c962be89111ea10135e9fdfa40

SHA256
0358c2d96796ffb924ff3bb95b271474b07038d9a684a582d3cea45a29fb7196

SHA512
029888fe350ea60dbd446422ab0a9d1704d6a70df91d5be8aec2e15fdbecb393fb7c30197c5bf23058a8156e6ef91c80abfb7f7b11e7a96aed5f11a52534e7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\prefs-1.js

Filesize
10KB

MD5
e2bbdaacf5aeb4a02b797afcb7779fdc

SHA1
6399a7310d2cac16a3b6d2f53bf6dd106b2d4a88

SHA256
c108e9667acf651cd2a9318bc7e2cef8efdd2e91d264c17d801fbe5608e743b7

SHA512
6072a76ea9da4e258b3b2c80ed653621592660ee38d58e24a968fb7051678108d3195401fac354d9af817f506d1b761baec50e26145dfaf9a0e3da880d303d90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\prefs.js

Filesize
9KB

MD5
3e8ea80bc6443bf4cb47c0afaf742b14

SHA1
5c4300e4c492129e6fd1bf3f4098c9be9e2599fb

SHA256
a697a1ac0fceca4337b0a07cb58bb72fdac34110e9976e052b33743511883093

SHA512
4df1ae53e16859c8c396a54474de0339c1359b041072cda37bfd41de09fc24e46fac0d1f5d58ad0b24ca8b00b320ce1278304f3f7e383ebf7e873497488ab788

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\prefs.js

Filesize
9KB

MD5
8d1889ef5d0ec8afcb7b8f58f0999f90

SHA1
9b7f90d6dd4b1bcc8b2a3b9ea1f693660ec74e10

SHA256
8260090c098b732cbfb08d0da7317a3531d22d525c455984a93b5768d82e2c71

SHA512
269e44caef95b3a9e4d0bd1218e79acb9f2b77bffffdbbca256c457388becf5603dd3daf64de4e4f2dc7cdcbef19afb3e770cea5e62ddb92b9b5bff87bb4b8bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
6684cafb8798abc8165fc80a164f1e23

SHA1
69ad91511a41755978228a101b751ebde9621fdd

SHA256
a6c5bb06f011b25071f5950a4f20ebcd9c119264f032d814caf02f4c272be8e5

SHA512
80756363c821027c084d7f8181fa15e11983cc3f808ebbda862382d73ca03d6a07ca297b27a25057ef26357c6811707d94eac90474ad3891a3cd187d45435023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1g11cwvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
e333fe048cb891cdd8e7ad1c2124a4f0

SHA1
84d88ca6d31b3456531dd5ba1e0b56dfa0786e75

SHA256
1f4d0aff45023d5e733a6dc18ba2e142c7ed913abd53448398358c118b46879d

SHA512
99acc3e345fa71674ecd47b501a3cf46d624d1dcfeb1caae390fcacd262c8c3c19e6bfd0b676d18ca8d122a61952a59095b26548b22b4705b6c6a83a52a4b7bf

Download Submit
C:\Users\Admin\Downloads\VC_redist.6zM2VtpA.x64.exe.part

Filesize
24.5MB

MD5
223a76cd5ab9e42a5c55731154b85627

SHA1
38b647d37b42378222856972a1e22fbd8cf4b404

SHA256
1821577409c35b2b9505ac833e246376cc68a8262972100444010b57226f0940

SHA512
20e2d7437367cb262ce45184eb4d809249fe654aa450d226e376d4057c00b58ecfd8834a8b5153eb148960ffc845bed1f0943d5ff9a6fc1355b1503138562d8d

Download Submit
C:\Windows\Temp\{2319157C-5870-42FE-BB39-1791E55E5194}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{3EB23C26-EF10-47E8-B5FF-90744CEE3FB5}\.cr\VC_redist.x64.exe

Filesize
670KB

MD5
3f32f1a9bd60ae065b89c2223676592e

SHA1
9d386d394db87f1ee41252cac863c80f1c8d6b8b

SHA256
270fa05033b8b9455bd0d38924b1f1f3e4d3e32565da263209d1f9698effbc05

SHA512
bddfeab33a03b0f37cff9008815e2900cc96bddaf763007e5f7fdffd80e56719b81341029431bd9d25c8e74123c1d9cda0f2aefafdc4937095d595093db823df

Download Submit
C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
5866203168b27f18c1b47abfa6823e02

SHA1
3b696be0a4cf750965d74263e43b8e302cb1b318

SHA256
7d48e0905ebea9b14a07cff687705dfdc50d795cd4c32e5ed87a0e344884b430

SHA512
037f793f60be84f1da005d47e21783e719a85b5c12c4d20050ad9d3254ac99ba8eb30b4b1378bac69379dbc659427dc1ae4a19062ecd337d47d480d047afb669

Download Submit
C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\cab5046A8AB272BF37297BB7928664C9503

Filesize
969KB

MD5
8c302e40fbf614896ba36a75f3f8977e

SHA1
991af1495f7783173d0c5691be38ff8648f2df12

SHA256
b384b812dc59c2081cee080ea6bba748e02ecf3c0800d8dcaf9607a20a4f3290

SHA512
53b1d7d8ab495931f50b5d815afe04d52f9e0bbafa0a5f3e4f6605b6e4f2a85c583abf9014dec41481439827bb6bab23ac439d4fd7d0c3f191f21b2bf5afb11d

Download Submit
C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\vcRuntimeAdditional_x64

Filesize
208KB

MD5
351d8e8c804f6c6aab4c718977b1817d

SHA1
1b680e5e2ed548e5636f9d656c49c87cf9a70da8

SHA256
cf584e5132ef3766a088f824bd038494713a7168cdddd44e3f8c4ad581e2206e

SHA512
d0613c6b1a72c73013c0519619c557811a1d20fcddc8361d391a31fc4aa9c70173b907957babb049067111427a81e48a82e5467a15dae8bebb55b048993c93a4

Download Submit
C:\Windows\Temp\{95A04A47-6E84-417E-BC2A-33F9D646DD16}\vcRuntimeMinimum_x64

Filesize
208KB

MD5
09042ba0af85f4873a68326ab0e704af

SHA1
f08c8f9cb63f89a88f5915e6a889b170ce98f515

SHA256
47cceb26dd7b78f0d3d09fddc419290907fe818979884b2192c834034180e83b

SHA512
1c9552a8bf478f9edde8ed67a8f40584a757c66aaf297609b4f577283469287992c1f84ebe15df4df05b0135e4d67c958a912738f4814440f6fd77804a2cfa7d

Download Submit
memory/2400-787-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/3044-750-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download
memory/3472-788-0x0000000000300000-0x0000000000377000-memory.dmp

Filesize
476KB

Download