fa9d7937be2a58815fa10ce365e48014e4839996b99134c33a178dc9ef5035ae

Analysis

max time kernel
133s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/04/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VisualStudioSetup.exe
Size

3.8MB
MD5

ee8662fc39220a328d4d33b8bcc95122
SHA1

861ed8a3c3df0c167e211e2ce59441d79d91e51b
SHA256

fa9d7937be2a58815fa10ce365e48014e4839996b99134c33a178dc9ef5035ae
SHA512

b0f0d42c423a5673d0442a5a10384e6d9a8371733d0b5818bbda6fc612e02c2b378be0b29987375fd68fb91ae256731d2ab5715f7464a1a2b115b745a54df398
SSDEEP

49152:P6bEbiMC/R51Rf9fPrFHB9k1JKbFQRVevDjr4Oapdzq88oPOV2gHyI:KEbixR9fPrFHwu4VeLjUOkq8XOUgHr

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\6EA26FFDFC3C3CADAF6C = "\"C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\setup.exe\" resume --installPath \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\" --runOnce --installSessionId 0572d554-a8a0-45ba-a045-04f0082161fe"	setup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Threading.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\Microsoft.Diagnostics.Tracing.TraceEvent.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.VisualStudio.ExtensionEngine.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\Microsoft.VisualStudio.Services.Gallery.WebApi.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Shell.15.0.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Visual Database Tools\dsref80.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\x86\msvcp140.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.VisualStudio.Services.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\StreamJsonRpc.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Bcl.AsyncInterfaces.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Identity.Client.Extensions.Msal.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Internal.VisualStudio.Shell.Framework.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.IO.Pipelines.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\pl\feedback.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.ServiceHub.Framework.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\Microsoft.VisualStudio.Services.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.TeamFoundation.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.VisualStudio.Validation.resources.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Microsoft.Build.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe.config	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.IO.Redist.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.70x70.contrast-black_scale-80.png	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.VisualStudio.ExtensionEngine.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\en\Microsoft.VisualStudio.Imaging.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.RpcContracts.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.version.json	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.150x150.contrast-white_scale-100.png	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Security.AccessControl.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\tr\Microsoft.VisualStudio.Services.Common.resources.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Microsoft.Build.Tasks.Core.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pl\Microsoft.VisualStudio.Setup.Download.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\msalruntime_x86.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\cs\Microsoft.VisualStudio.Setup.InstallerResources.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.IdentityModel.Tokens.Jwt.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.Debugger.Runtime.NetCoreApp.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.70x70.contrast-black_scale-140.png	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\VSIXInstaller.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.150x150.contrast-black_scale-180.png	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pt-BR\StreamJsonRpc.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\zh-Hans\vs_layout.resources.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Microsoft.Build.Tasks.Core.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Remote Debugger\x86\Runtime\Microsoft.VisualStudio.Debugger.Runtime.NetCoreApp.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ru\Microsoft.VisualStudio.Threading.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.VisualStudio.Imaging.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.TeamFoundation.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Memory.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\StreamJsonRpc.resources.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Remote Debugger\x86\Runtime\Microsoft.VisualStudio.Debugger.Runtime.Impl.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.Debugger.Runtime.NetCoreApp.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.VisualStudio.Setup.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Numerics.Vectors.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.ServiceHub.Framework.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Telemetry.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Composition.Convention.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\VSInstallerElevationService.exe	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.70x70.contrast-standard_scale-80.png	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.VisualStudio.Setup.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\VSIXInstaller.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.ServiceHub.Resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\cs\Microsoft.VisualStudio.Setup.resources.dll	vs_setup_bootstrapper.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26768860-CBEB-408D-9F30-87E0DBE11A6E}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Installer\e58af46.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58af46.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0AD.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe

Executes dropped EXE 4 IoCs

pid	Process
2312	vs_setup_bootstrapper.exe
1620	setup.exe
800	vs_installer.windows.exe
3432	setup.exe

Loads dropped DLL 23 IoCs

pid	Process
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
2312	vs_setup_bootstrapper.exe
3432	setup.exe
1620	setup.exe
1620	setup.exe
3432	setup.exe
3432	setup.exe
3432	setup.exe
3432	setup.exe
4252	msiexec.exe
4252	msiexec.exe
3432	setup.exe
1620	setup.exe
1620	setup.exe
3432	setup.exe
3432	setup.exe
3432	setup.exe
3432	setup.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	vs_setup_bootstrapper.exe
Token: SeDebugPrivilege	1620	setup.exe
Token: SeDebugPrivilege	3432	setup.exe
Token: SeShutdownPrivilege	3432	setup.exe
Token: SeIncreaseQuotaPrivilege	3432	setup.exe
Token: SeSecurityPrivilege	4252	msiexec.exe
Token: SeCreateTokenPrivilege	3432	setup.exe
Token: SeAssignPrimaryTokenPrivilege	3432	setup.exe
Token: SeLockMemoryPrivilege	3432	setup.exe
Token: SeIncreaseQuotaPrivilege	3432	setup.exe
Token: SeMachineAccountPrivilege	3432	setup.exe
Token: SeTcbPrivilege	3432	setup.exe
Token: SeSecurityPrivilege	3432	setup.exe
Token: SeTakeOwnershipPrivilege	3432	setup.exe
Token: SeLoadDriverPrivilege	3432	setup.exe
Token: SeSystemProfilePrivilege	3432	setup.exe
Token: SeSystemtimePrivilege	3432	setup.exe
Token: SeProfSingleProcessPrivilege	3432	setup.exe
Token: SeIncBasePriorityPrivilege	3432	setup.exe
Token: SeCreatePagefilePrivilege	3432	setup.exe
Token: SeCreatePermanentPrivilege	3432	setup.exe
Token: SeBackupPrivilege	3432	setup.exe
Token: SeRestorePrivilege	3432	setup.exe
Token: SeShutdownPrivilege	3432	setup.exe
Token: SeDebugPrivilege	3432	setup.exe
Token: SeAuditPrivilege	3432	setup.exe
Token: SeSystemEnvironmentPrivilege	3432	setup.exe
Token: SeChangeNotifyPrivilege	3432	setup.exe
Token: SeRemoteShutdownPrivilege	3432	setup.exe
Token: SeUndockPrivilege	3432	setup.exe
Token: SeSyncAgentPrivilege	3432	setup.exe
Token: SeEnableDelegationPrivilege	3432	setup.exe
Token: SeManageVolumePrivilege	3432	setup.exe
Token: SeImpersonatePrivilege	3432	setup.exe
Token: SeCreateGlobalPrivilege	3432	setup.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: 33	1844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1844	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1620	setup.exe
1620	setup.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2312	4728	VisualStudioSetup.exe	74
PID 4728 wrote to memory of 2312	4728	VisualStudioSetup.exe	74
PID 4728 wrote to memory of 2312	4728	VisualStudioSetup.exe	74
PID 2312 wrote to memory of 4540	2312	vs_setup_bootstrapper.exe	75
PID 2312 wrote to memory of 4540	2312	vs_setup_bootstrapper.exe	75
PID 2312 wrote to memory of 4540	2312	vs_setup_bootstrapper.exe	75
PID 2312 wrote to memory of 1620	2312	vs_setup_bootstrapper.exe	79
PID 2312 wrote to memory of 1620	2312	vs_setup_bootstrapper.exe	79
PID 1620 wrote to memory of 800	1620	setup.exe	80
PID 1620 wrote to memory of 800	1620	setup.exe	80
PID 1620 wrote to memory of 3432	1620	setup.exe	82
PID 1620 wrote to memory of 3432	1620	setup.exe	82
PID 3432 wrote to memory of 1504	3432	setup.exe	86
PID 3432 wrote to memory of 1504	3432	setup.exe	86
PID 3432 wrote to memory of 1504	3432	setup.exe	86
PID 3432 wrote to memory of 964	3432	setup.exe	88
PID 3432 wrote to memory of 964	3432	setup.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VisualStudioSetup.exe
"C:\Users\Admin\AppData\Local\Temp\VisualStudioSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\getmac.exe
    "getmac"
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" /finalizeInstall install --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202404271428055197.json" --locale en-US --activityId "907939c2-854d-4f90-94be-3633baf4202b" --campaign "2030:e77163fb52e440e9aeaef76ce0e48356" --pipe "30750326-30f1-4e07-8f90-cd660089ac9b"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe
      "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe" /finalizeinstall 6F320B93-EE3C-4826-85E0-ADF79F8D4C61 "Visual Studio Installer" "Microsoft Visual Studio Installer" 3.9.2180.11832 0 "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"
      4⤵
      Executes dropped EXE
      PID:800
  - - C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" elevate --activityId 907939c2-854d-4f90-94be-3633baf4202b --campaign 2030:e77163fb52e440e9aeaef76ce0e48356 --handle 262892 --locale en-US --pid 1620 --pipeName b0bdc6ae61d44f4989e284a7a0908016 --serializedSession "{\"TelemetryLevel\":null,\"IsOptedIn\":true,\"HostName\":\"Default\",\"AppInsightsInstrumentationKey\":\"f144292e-e3b2-4011-ac90-20e5c03fbce5\",\"AsimovInstrumentationKey\":\"AIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\",\"CollectorApiKey\":\"f3e86b4023cc43f0be495508d51f588a-f70d0e59-0fb0-4473-9f19-b4024cc340be-7296\",\"AppId\":1000,\"UserId\":\"c4ca5a1c-7d60-43a2-8caf-5e1faa68dc8f\",\"Id\":\"6e8fc59a-2071-4348-b105-b7695c7ba158\",\"ProcessStartTime\":638498249057854791,\"SkuName\":null,\"VSExeVersion\":null,\"BucketFiltersToEnableWatsonForFaults\":[{\"AdditionalProperties\":[],\"Id\":\"a02930d9-c607-41c3-8698-0fd9196735a5\",\"WatsonEventType\":\"VisualStudioNonFatalErrors2\",\"BucketParameterFilters\":[null,null,\"(?i)vs\\.setup.*\",null,null,null,null,null,null,null]},{\"AdditionalProperties\":[],\"Id\":\"64a13603-6d89-42e4-a299-13f77e5ad306\",\"WatsonEventType\":\"VisualStudioNonFatalErrors2\",\"BucketParameterFilters\":[null,null,\"(?i)vs\\.willow.*\",null,null,null,null,null,null,null]}],\"BucketFiltersToAddDumpsToFaults\":[]}"
      4⤵
      Adds Run key to start application
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" queue pause
        5⤵
        Drops file in Windows directory
        
        PID:1504
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" queue pause
        5⤵
        Drops file in Windows directory
        
        PID:964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58af49.rbs

Filesize
598B

MD5
57cd4c9d85f984250ccf12a76f7417c0

SHA1
eeb6ce47e7ead71da6e6c0cfd151811fba14945a

SHA256
bf2f9f3f1d160c5344a5846117de01d3f31a6d7bbab3d1bfc0895ae2dcae07dc

SHA512
2348324443b052665092ed2d795821b6155a7e5ce546b671201c5870707cdfd09087592bdfbffcff2fc04f19d06e992c7776b62aa094ef7b63674179424b1ae2

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\CommandLine.dll

Filesize
222KB

MD5
1e71c463c3ae5ea384220491e16faa99

SHA1
b36175b615bf42cbab3e1b29c669791aacece4c3

SHA256
9886a4b543d755ad8ad3453dda89ae9b6315aa80b5830465cf297b9cbf4dd805

SHA512
146578afaec6f6b1fdefea0de0f028a20495a329198cc06a796ea7f25cb2841ef80abebe4666b11d6fec98ae2784c39b8fbd684bd94b9d2b64b1f4f90f9aa58c

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Markdig.Wpf.dll

Filesize
43KB

MD5
7a84adc38e30de751a4258118d587b8c

SHA1
ef626e8111455be52495edf9e789b436aeeca3a7

SHA256
5c7e9811b0e76b558d8ada7c5d5ea2952367734a6bd2bdedfd9e09493bd4e799

SHA512
287872a37f57fd098739728db89353fbd426f36d2b7bfae73b3ef84e0f6ba373e3880095856aef77688c462b369f879781a4662770a01e5cb38dfd9db07ff1f9

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Imaging.Interop.14.0.DesignTime.dll

Filesize
21KB

MD5
b340a021abaa327244b5f02542bd1def

SHA1
c4471b8c3bf60ed300ebce0bd843f017d205ad5c

SHA256
21e9388960143eab0323b9b56443b6c47439973b1682653c37e0e50217e3bb08

SHA512
1970ebe87910d0b7759cae3139bdb78b73e04b3c5a8a22ede42b772e1dc73bffa05d82a5684aba1b90fa265e30e510806bc5e782117ddd620612625c0a6b2d64

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Imaging.dll

Filesize
536KB

MD5
83e105b9aa14de29a797de7c4ce9693f

SHA1
51064762644b315ae4a49d11966b580e8ce1ffbe

SHA256
7efefc9326536b95b74cf7d4dd1014c4928d6937aadfb28e4b76c8c44a9a554e

SHA512
971f429be419a77815773af7ac9ab0350a532cc7ecdf17b6bdc354e885f9d92b17a53f90ec3452287f0f5e854ec6da280eaef0aa43c01da616576a47964172b1

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Setup.InstallerResources.dll

Filesize
150KB

MD5
b14ee8c619cc3624604db2ea2f815793

SHA1
6d76fa7d63e2948c54ae24217a6c06b2cad78a7e

SHA256
0e27fc685dcba3337148eb05a283c95e4728e17c4f847cb8187abd63a9274d77

SHA512
9e990a370e85a2d32322c8f689ca5ce192ae56bd79550b816681225ce2087e5d4c2904c0770ab231ff722b85fc2ca3cfed0a8d718e12d2a7e28e0d8ff57f60ef

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Threading.dll

Filesize
714KB

MD5
7ec0e494a21aabbd8302d424c8f6c611

SHA1
8453c581039d2fc69b55ebf73a8e90ac7022dc94

SHA256
5d232659bc044cf946451a3f1961a9cd327ef80f9f1563fb5ceeae64aee87920

SHA512
998d117fc2845ad6074e68c8c53ea44213c9a1f8b185c4d838c6226942aa581e3d27ad1b03c6cc1b20c2c41ea00865bd609f9ee10f9aba35ad0be7c149c0d997

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Utilities.dll

Filesize
1.2MB

MD5
ec52c9519320e3f2f7f21bd76f445684

SHA1
1af3d1f8b76f08598c5028c0ed3a36b505985b8f

SHA256
2ff6df707cc4924d458e9ad883c516caf8c3f301e4d963f93c45b689e311128f

SHA512
4ac3fa4bf3c5b3469198b2759693b393ecdf744510c3d169c804a467304e015f88e69d18a10d3eaf7d185af2b8a93cafbd311ec0b66fac6867eb0646b3967fa8

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Validation.dll

Filesize
33KB

MD5
a627fd8565f6f442bc7555c94126e988

SHA1
4d096f96ec09228d508701e3d288f854b9906c21

SHA256
83ee28811e6815914191db0c1d65278f62a20995786bb1d416f48e8a3e290274

SHA512
1b4bfe6e74658b00ebed000d82c5bfc242d505b3d48eadcf07334e316feb9aa791f7e803f27903cb7eb1ee5ec5900de4d87afc0a7e6a482f25e2cc84ca9c9135

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Newtonsoft.Json.dll

Filesize
705KB

MD5
712e4eee498c3ede49eff3bffe8775e7

SHA1
bb598801985112943502713bc6028e3f63cec0e0

SHA256
e64f0dd297476841bf49800c721d624a8fa88c4f876b334722c8482dd7e3b501

SHA512
6e4a495771275137b60a03e31dc02d639496e91a8c8f8af29a1691396008fdbc93d886d23b5e592ed4cc1e3dfbf2fa4cd4ba073629375602ba39ae51e707b57f

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\runtimes\win-x86\native\msalruntime_x86.dll

Filesize
1.9MB

MD5
94ab867ef06d046b6f65adbcb0994638

SHA1
30768967ad3b95aaeb8ec671f96e176a6d5dd1fa

SHA256
e9501bd3899c05167ab3d6cde455e7c81bc4bd138314207f3cdfe910b21358ae

SHA512
81e20e97829bd2102e552bf78f1da4a6986ceca475c6514c7de9a40adeafdd7b15c15dd10af293df5b4c21e4b1c431c92591d19559c9c71ba5916d14d750c090

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe

Filesize
2.9MB

MD5
c6529c201ccee70acc9956192899a22f

SHA1
a757e2e194c211d5c61c258a70e6f4e47cbf8a89

SHA256
f0aca4e09e833efd9de0359e8946fa47e15760035857a09346d05613b9481903

SHA512
d25a6fdf4ec92e362f26e910e7407f1688e36d82c8083917f8adc75f2f32455a8cea0753827bc073dd5a5001bd84348d4ff52c63faf96a957bc344578992efd0

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe.config

Filesize
5KB

MD5
9dc3b7d3b90bf16af33d3e5d2e81e8d3

SHA1
89d5a9e305456f755cab58ce0d9c7748552b0448

SHA256
8df494040a078046bf71772c6d9818cdb613263630feb46b0466c72096f7393b

SHA512
6bb3fdaa79c816c53241b939e793fc8f9b4ea9c1d240df3e9c11c175ab8dc3e6cf0de98f4f060bc0203cea14221badb3b60dbf80e06747a9a4087f1d8b39e60c

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.version.json

Filesize
123B

MD5
8841c551fbad2b842192cfd0ee279290

SHA1
52a38bcb7451f15e9432c9086f58db63dabfe0cc

SHA256
666d85975f3a0d72080683677a8c9b64daa3055fcd56d4a62c1b0e40aa701943

SHA512
30b5ec84c1188ec98c6ef2f4fc96c23c8a850322f8fea3d1adda57e77c91fb2561a7a16ccc4ee2b90b06e19828b736cb005fb06e34b7e728be775c89d1ce7a58

Download Submit
C:\ProgramData\Microsoft\VisualStudio\Packages\_Instances\6d3c9db9\state.json

Filesize
10KB

MD5
15f7a617affde743183ddde2f89781e9

SHA1
21093deef04d0047ca32786c8089a89e869c4eac

SHA256
7d34021fbfb33339004c3ffd6aa52eeb0c3b23a3cd0bd9f3f21b4147d8586bf0

SHA512
3b538b2b0cae59cde7bdcb66c309b4501c3a527989f705b78b24482a9df8c64ce9f43bf322410220cfac122a5661b2915ff5b7c1430583dceec9b080982b623e

Download Submit
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202404271428055197.json

Filesize
162B

MD5
ad891c3b02a02419dc60db8c273a8315

SHA1
141a08ca0e25d56bdb35fc71e1c767667079114a

SHA256
186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

SHA512
64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240427142836_8dacacc0fbc0449c92233175eda57f0e.trn

Filesize
9KB

MD5
ff344240157127ab3a3b91a6fa431dac

SHA1
310441de3ef89abcaa0deea847ad085e5ed0d12c

SHA256
e0767204e123ab73ddcc2b035f4e66f6cf59b9e8ecd389c8d997d1e140a0c12a

SHA512
9fa7ebf97b4c814814f0f504e2dd2e1da73596480bc988b97942ce1546fd4f6d61fa6c9c4e2584e3151e2839ffbaca8b71d541886f6d0c276f3c62fd336dcd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240427142840_1b0474fda64e42f3b84187bcde4ebaaf.trn

Filesize
3KB

MD5
a4eb412e37894278205e7bce16130f00

SHA1
3a108a7f827ea10d81c07e025fdf7488565307c8

SHA256
53ac421985de766d5f800fe85f8ef63a866bc89484a338db2bf59cd51ad87e70

SHA512
f5f241084048e2259ae7451d1f8f49901bf7d31839de4b3c345f0617e9e3c574e040aa99482b185ce2902dadfcbf27f380ca114caadd9a1f580c8b26f1655782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240427142902_91f899a8b1804d7b8a4e5b5a92ff134f.trn

Filesize
17KB

MD5
a3db2dd59764dd250df4f0450aa662d9

SHA1
672b05ca8180f2248aee5fecd757bce759d8132e

SHA256
6beca179707972bbe5a7de00656ae26218f2addc04fda4419b3d90d8c40420c8

SHA512
c2c2eb431f130c01c22cb5a6618ba183d3789802d617124450209fbd2649b7d9d8cbe00483f6ad63c833e248481b97f64dd2a60b74d24227fd4949be3ca0dc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240427142932_7d759fcc0173411e8f02fda4c7d80855.trn

Filesize
5KB

MD5
80208034092aaed4c0db74637a7d95e5

SHA1
3ec234191a75f6a45ce9ace20d23e273ef0e07ed

SHA256
e15626cba751432b22e62009d8f4a6ff7da62ad3437545f6e2bc4c2417092055

SHA512
2a729cde94ccc91c31c8d081ac11cbda165453ee636e965af480ba83fdd54d9be1e7a92ca8d023361ba6576316967d96dbec1e6c96a3e0c166973051bc9b57b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_ChannelFeeds\F4D08EA8\.updateUri

Filesize
26B

MD5
e3c9f3c009c49e91b372ce3be05da610

SHA1
df98879fb7402b9b08bdc18fc2f3d4d5ccec12cc

SHA256
f4d08ea820b816e2822bdd3351613ed185e4e36503ccc348f4a8a7957fadfd6f

SHA512
444aa325d744a7fbcdc5a48cd7b51814e3cca5caf58b0e16316e015f898773a5d3476059399a704a9b4dc6350d06430ba42a78058f2cd8c03669147b346f22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_ChannelFeeds\F4D08EA8\channels.json

Filesize
65KB

MD5
13c6327cba54014d864c63a7ebc3bc59

SHA1
06a31e491570117cc8e45f985358496ee7aeecb9

SHA256
9601998cdc625a2ebffa2b7d6e00f5cf2f86d095fa7b6a5d8d7a48c2b67e6f14

SHA512
7dbb3972de34ed7b2be40fc759f712f1a59e52b676b258a445f351121e5328ceee10b4130d02f8e6901459bc0405652dd393baba9dabe2cdc0d9217c7ddac8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_Channels\e53d7ff1\channelManifest.json

Filesize
89KB

MD5
26a2cfd6039c10c1d4831c6229145d1e

SHA1
af7d2c5852bc7a053220475b63a72f0e55c55d49

SHA256
8a477060d0deeea7767347dfcbfe89eee9fce5ccbdcf11bfb13681bac08892f0

SHA512
2e195b1955a2e5e1e30e5519818c123607da02bc57f00fa097c8505c83932fb3fd94e38dff9b3e454f32cfda69932446e1ef7a9fa0620748267ab82ac76af11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_Instances\6d3c9db9\state.json

Filesize
69B

MD5
136f7bd6a977f8dc0369f1c639025249

SHA1
4f921f4865b682d85fb545e80e3ac9334ba1bea0

SHA256
5f91ac3a2506e55cb135314015156877dd4e9cf0835826df763ed32fc643db41

SHA512
bc63a8769bb540a11ef12029a2be4a87895dd9ae2d6303ed259377ab3d6af275b360d2fd666901abac81d8476da36dcda2e89a6786c5d6a19a3af88332cc11f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZD0T2PJ\DisabledFlights[1].cache

Filesize
78B

MD5
3786de4b37bb410ed52bc580689bdb9a

SHA1
4c21a9c9f84e16a2b969873c343c801bad22201e

SHA256
619374db8a2521ef5adddf7f763c135d1772366b222a4e11f1d69334bc1cbf69

SHA512
c2163e5693ea5ec7babd29af72320950dbe1af1ea0da2a298ca622937c36c73467773115cde8a8a664fcf3aba578b11f8882b5099b25dbab5ad8b47ddd3df808

Download Submit
C:\Users\Admin\AppData\Local\Temp\0h3gt4su.55l

Filesize
40KB

MD5
cfa7f3ffe40b3d4baeeeed3fb357793c

SHA1
ea6b405d8f5255a23b70bb4ef25e50e2275e397b

SHA256
e3cc1b39f85a80d0bc385beeffffb616b9af1815ef4c6b83a7c8084c337490b5

SHA512
3e1c66a601998df4f148cb70ed9828390ab3c07d6385aaf096a24a76a32513e42ac1295718731bd8769bb084a22cd2fb93e0dcd3e7d01655acb8611968affe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaoiachl.33o\i4ar0dgx.json

Filesize
13.9MB

MD5
ec45800aec65a426115e62ff105960af

SHA1
46eb155904e3b9da74288c5129ad1830dd5440e3

SHA256
d094f2e9e6a3cdccb7e7b2b2ce06c5997da4c85d7c4d62c9c7d446308e556976

SHA512
92df4afc162a1e63f8db88463b5e0f7f2c45e74ec70ae97509417f555d9e7a635b76b8ae3ffd0d2fe834d9e24ce9d7c0ea2eb4f9b7dc6568caef0162d0b14225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
19KB

MD5
c6cf9fd202cb1229cbe7b9efbc9f4317

SHA1
d5c9c33a16c759c0bcf685cc8eae05104b50696a

SHA256
93a4a722c19f7f89ca2ce1aed73eee941c24c6e396585be8b2073b9b2ef235c7

SHA512
6e303a5e9975daeb7161dd1958ac0784b416fe1d65dc862da99eeecb59d12d7d43165865a2737d5ebbb9727439665b743b69952265e2721f4f01a00487555518

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
114KB

MD5
5a0e5cbb68292104ed91f53275432781

SHA1
90bd370a5867ca889d47ba5c928ea06910160af7

SHA256
848ef52200b9bdd9807b20e1e0c834c3bbb09c723bcc59875658ee3f29781601

SHA512
0698f928fa2de8c48f04579c6904981e288552ee651b9d4a65b355c4698eae6f275625d5ef3c053de39c45d732d5f0514e062d762784a5630453e0e5f40b200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll

Filesize
18KB

MD5
dc6d5f059a711616234b383d8a3cd5f2

SHA1
b53df8e875bedf924a32eebea2abb2018f06e5e1

SHA256
d461864929e446edbc6513421f4db8c6465899d9067ea3c33e2131227799b525

SHA512
54cafa9ce950c0b4a2cfe6f115717cf113b45f6ef21c701207e37151fb8b01e0d370c56d950ab2c0bdd0d813d65462ed19eab4c9de320f8434cfb0b30589deca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
995KB

MD5
bbcc8244db84ad2031ac010633abf798

SHA1
de0cb65ee877663da272b4162a55a64ab8669f74

SHA256
8fe17ff9da7932dc01a39ed27559d5cdfa9b97ba14cbaa9f719087a241c8b82d

SHA512
d5682ea1aa9d50e9a491f8dc25c82907cde24ead2842ea392242e8cdedf49f68f3035042442738e147b5aa29d6328ced68007732298f62466c78fd10b276b06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\VSInstallerElevationService.Contracts.dll

Filesize
23KB

MD5
53d58bbdd361632e7593eec4fbaa9093

SHA1
ed7bce7375108854219099f9936c04bcc7a5cf1f

SHA256
8a44b9ea6e4cbc540fcac643c7d7ddd42262ee8c84f12333f91b58267c4dff98

SHA512
3c338dc1c45bd989d02b617aa454f30cb44cfa204377a8d7f365d55326c811daacac22cb9b4c2faba6eb7e1c65eeeaff5fbd79a699ed308291466bb536a47feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\detection.json

Filesize
8KB

MD5
782f4beae90d11351db508f38271eb26

SHA1
f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

SHA256
c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

SHA512
0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll

Filesize
2.2MB

MD5
a2f41908d5dc93b30daa584ea84d2092

SHA1
858e185e27c19177d3bd8682cea53bcdc27a598e

SHA256
88a6f127eee41da978181df5de12d65d2337d4427ef66b6be1df51bc29e93f8b

SHA512
ee5934249b2540b2eb8f9ea3f344f00d6e512a8f2f86df4ea674dd9e35a91154cd77c62053882e187cf1a629c369ad3be9667f59607676bdc780280de5dfbeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll

Filesize
2.2MB

MD5
6d226a7b33583555fe71310e610e7fc6

SHA1
92bb8ce4cb4e215348c6e22ffc3bf57ec031883a

SHA256
613be496ad434ceef6ed29dbba64f27a2612795078977a8b07b229ebba9e9953

SHA512
5697f07f95c723de50f65b23d5ce4853e716425abccae187d00ed3ab1812fb0e04af47b5ed241370773522fa3c463c351c9dfc58b10c7962bd2e8c83710a3d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\vs_setup_bootstrapper.config

Filesize
620B

MD5
5ad0c3135e84116d01715916950b9a8d

SHA1
8599452d2561e56c437d863fd85384d18a0251a3

SHA256
2e74819cc5878c1677c2c31e4be2e57f1b483e942aaf6ccc02e6122b868b0488

SHA512
860fd4de429767b401254a3349b63ff133e1ae8db37955bb3742532a9258b5abc518e6da78b54a2a79f2eb533169a3f3a01dc3c2268aa9a0621a907dcc8632e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
403KB

MD5
3257dc82fdc8136629ac4a4333193391

SHA1
9f1aa607c0d8508cb50f3f0ddc1b844bf570f2c2

SHA256
e94349f39b4b45774caf05fabcedee74ff182ad6f77f143eb661580824155a42

SHA512
3189c7eba1db26a37f64b7d650b566f14b855a8a406f7d900d6f3af937e7b5d817038d23aac8ddbc9d69b939beb26e7cecf9ab8dcbf9e0edf338fe7932f1c867

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
2KB

MD5
d705d5ccc158f125dfbf4b1f06ea8966

SHA1
76486d41cb0a0316ee354cbfb59f697a43ab1489

SHA256
1e0f19e5f792fc97e1ab40d6a8259f19843c8a22c1ccc008effc3a771cae9b66

SHA512
c3b2ac8d186990c3c7d6755a641cf3bf0256e8ea3789942374c56fdd97de6a7fae516ee944880bc3ed31b0e569192d570db899847b9a8fadfe46d4ed150b480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaihchkd\Microsoft.VisualStudio.Branding.Community.03696787AC5BB322DA2E\payload.vsix

Filesize
3.0MB

MD5
3f486b6634799210e238806ed02ba769

SHA1
3d7fdf94f0fca216d0d83f859a2e72c5389a2723

SHA256
24930084ed4f89de4bce79056e75da607e3691a6f19b82bc706a53c22ce02185

SHA512
438d60a94f06328dc9d36304cf5b3d20318c93c9a4fe6a4772f7f2316cd7b8061ff0810299aa13ce6ade2fc13ae037d305e44153abc4120e3563f32a714f3342

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaihchkd\Microsoft.VisualStudio.CoreDotNet.Resources.6D7D3CC5A244BF638BA1\Microsoft.VisualStudio.CoreDotNet.vsix

Filesize
64KB

MD5
c6a6436a0e74b2ee5af2957ce0cdff89

SHA1
0414e6cf32779a165204554823428f1d3f6c3bbe

SHA256
3e9cb800d76388e99e6c53e65fc8604bcbc4cd07d60d27416a8a074598f4d5a1

SHA512
bf6ea98a61625b6cff718ef502701b2394ee0ba7aa30d5c8d809918a8bc86b0052257d6f798d52a0eb40df7f1d2ea685154500779f4fe87126bd462a74a789fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaihchkd\Microsoft.VisualStudio.MinShell.Auto.Resources.CC76255961650EBDACBB\Microsoft.VisualStudio.MinShell.Auto.vsix

Filesize
183KB

MD5
b3412575509c732c7d7cfede7df632a4

SHA1
4d9d4f732baeb32c34aab0bec59acb22d1fa8ed2

SHA256
c1a00c10e3a37e791bfd32fb68f400d1a178dfd1ea34a8c7b8729d84a4313c7b

SHA512
e41290d2645c389e57d79c0af8497316bd5d91cabeefa30bc373c6873d2eaa09a9412e7762d7ccd4692757dd545c36685e04cc08fe1f98f6365c85207ec2c623

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaihchkd\Microsoft.VisualStudio.MinShell.Auto.Resources.FD08238D1010290198AF\Microsoft.VisualStudio.MinShell.Auto.vsix

Filesize
239KB

MD5
1eae70204447830e854b0234164dddcf

SHA1
1a0ecfd68d15c24a65723c644f1532ebe806aae5

SHA256
ecc3e02c2a3ea8627017d2b90ecd6196f4bc0767d59e8415f00d0a26293a579f

SHA512
87dbb9e0bf4a464a0d88c91cc6ce65ea548e44313aa46792dfca5606f36bb8192656db5aff8a945ed014d72c69644eedf520716517922e7581e0c4bf8ae38750

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaihchkd\Microsoft.VisualStudio.UIInternal.Resources.A827F2770E421AC11AAC\Microsoft.VisualStudio.UIInternal.vsix

Filesize
313KB

MD5
f00e388ca13171973da85b00d301da28

SHA1
9fd2d7fc6d7e30dd091e352e0efdf554dca86b2c

SHA256
4ef96048a233cd0cc8ccdec1b15e3845c44efddd4e2e20664784624328bd75d1

SHA512
d3190c76a8071eeae41baa68ba79881c94bdf74f672354d9f5ba7a12c616c65cac1434c7bf34f2703f9ab0c819984cffd2d441b602edd7bea93f62c47ab63cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kf0ifhgg.0ek\4h552a3y.json

Filesize
89KB

MD5
f168135ba18b06a171e0cd8937fe8189

SHA1
ded601e6f79648d4f9a7144a369f478c1a231355

SHA256
e14ff2ec1706905df10232788585163e62586029cd02978f0e261d05dc28f1eb

SHA512
4ba28699a36ac7b9c997aa154e7fbb451ce155ac4e589c78e1bc468a72ed8674a4eb1adcc19d94dae545cfa3ab0c6aabee3b1a25052fae473b30eb1d11215019

Download Submit
C:\Users\Admin\AppData\Local\Temp\z41xiqaq.json

Filesize
22KB

MD5
9b5bc10442f86b015e3ec11b15cbe7fe

SHA1
2022bab52c25622a7ba73c2116967f0fd8462898

SHA256
1211fa72349aeb9f8578a8405937b1bade9bbd578b5fbc2d1858462abbafb300

SHA512
7b59e801f1e9367ac8adc970eec47a14b01b986001593cda60f381d4f3f6852839c1204dc228e53377de7bfebaf418a2963a31f533f5c56029e1025140caf339

Download Submit
\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
578KB

MD5
1d8d070d47510b7ad2d649edb415a90d

SHA1
464e282bf196219d39c24c5610cf76efc0b9772c

SHA256
f160aa395cd03a77c88e9ed476d2cd308528ef28ede7d3cd51d799192b66788a

SHA512
91ebe5e9ded214695f9c2df08e2f8c2accf2ec17f8679cdd9425b37f60f9758da6de7f474ab14343f3edf5abab0ebbe639ee878417947b89dfaa1361d517ebe1

Download Submit
\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
305KB

MD5
b23e7cc9034c5063c4374c76015c4f6a

SHA1
74c39d36d37f8fb1fec14462ac5a7e1eb3182e76

SHA256
e79603b7f9ada27335deca10edf748f4cb1bf700cf866f585d0eb0a88bd7758e

SHA512
be5d084aa6c5b1dbbf5b2b8d2a3ef99962dcbdaefc76eca6d411b9e929ee25c5032edcda565f4b0ecc1aabda3335a3eac736e96750d8d54e4f9e9793ed3f2902

Download Submit
\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.4MB

MD5
f203011840317dca75b5958b4ef1383c

SHA1
f975958ff6329fbac84d6f7bb263a287d8fa5c38

SHA256
aea445890e328c45ad594e98043808722fea6017dc8b0fa54b85f43732eed389

SHA512
119d39ebc7a19ace9881754af73f834fd6fd27230b8e8b544aeea10e471d3fc8b33d1e25a70d30f514eae3fafed9da7a5ec6a7650a5b842a6668ea97c279d884

Download Submit
\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
62KB

MD5
2dc1dc66b267a3470add7fab88b78069

SHA1
dbe80047475b503791038ed7e47389c062c15c72

SHA256
b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c

SHA512
44ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21

Download Submit
\Users\Admin\AppData\Local\Temp\ff317616fc9f5cb43a97919da6910a26\vs_bootstrapper_d15\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
memory/800-766-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/1620-802-0x00000259BA750000-0x00000259BA768000-memory.dmp

Filesize
96KB

Download
memory/1620-713-0x00000259B74F0000-0x00000259B7624000-memory.dmp

Filesize
1.2MB

Download
memory/1620-683-0x000002599DFB0000-0x000002599DFD2000-memory.dmp

Filesize
136KB

Download
memory/1620-681-0x00000259B6B20000-0x00000259B6BD2000-memory.dmp

Filesize
712KB

Download
memory/1620-678-0x00000259B6840000-0x00000259B68D4000-memory.dmp

Filesize
592KB

Download
memory/1620-686-0x00000259B6800000-0x00000259B682A000-memory.dmp

Filesize
168KB

Download
memory/1620-676-0x00000259B69B0000-0x00000259B6B12000-memory.dmp

Filesize
1.4MB

Download
memory/1620-674-0x000002599BF80000-0x000002599C26E000-memory.dmp

Filesize
2.9MB

Download
memory/1620-690-0x00000259B6BE0000-0x00000259B6C96000-memory.dmp

Filesize
728KB

Download
memory/1620-692-0x000002599C6A0000-0x000002599C6AC000-memory.dmp

Filesize
48KB

Download
memory/1620-986-0x00000259BF530000-0x00000259BF604000-memory.dmp

Filesize
848KB

Download
memory/1620-703-0x00000259B6990000-0x00000259B699A000-memory.dmp

Filesize
40KB

Download
memory/1620-701-0x000002599C6C0000-0x000002599C6C8000-memory.dmp

Filesize
32KB

Download
memory/1620-699-0x00000259B6930000-0x00000259B6956000-memory.dmp

Filesize
152KB

Download
memory/1620-697-0x00000259B68E0000-0x00000259B68F2000-memory.dmp

Filesize
72KB

Download
memory/1620-695-0x00000259B6DA0000-0x00000259B6E9C000-memory.dmp

Filesize
1008KB

Download
memory/1620-694-0x000002599C6D0000-0x000002599C6EA000-memory.dmp

Filesize
104KB

Download
memory/1620-705-0x00000259B6910000-0x00000259B6920000-memory.dmp

Filesize
64KB

Download
memory/1620-957-0x00000259BF3B0000-0x00000259BF442000-memory.dmp

Filesize
584KB

Download
memory/1620-707-0x00000259B6900000-0x00000259B6908000-memory.dmp

Filesize
32KB

Download
memory/1620-950-0x00000259BC060000-0x00000259BC068000-memory.dmp

Filesize
32KB

Download
memory/1620-709-0x00000259B6920000-0x00000259B692E000-memory.dmp

Filesize
56KB

Download
memory/1620-711-0x00000259B7320000-0x00000259B73AA000-memory.dmp

Filesize
552KB

Download
memory/1620-954-0x00000259BF300000-0x00000259BF30A000-memory.dmp

Filesize
40KB

Download
memory/1620-952-0x00000259BF190000-0x00000259BF1CC000-memory.dmp

Filesize
240KB

Download
memory/1620-803-0x00000259B63A0000-0x00000259B63AE000-memory.dmp

Filesize
56KB

Download
memory/1620-953-0x00000259BE0E0000-0x00000259BE0F8000-memory.dmp

Filesize
96KB

Download
memory/1620-716-0x00000259B7630000-0x00000259B76E8000-memory.dmp

Filesize
736KB

Download
memory/1620-718-0x00000259B73B0000-0x00000259B73E4000-memory.dmp

Filesize
208KB

Download
memory/1620-719-0x00000259B6D90000-0x00000259B6D9C000-memory.dmp

Filesize
48KB

Download
memory/1620-720-0x00000259B72B0000-0x00000259B72B8000-memory.dmp

Filesize
32KB

Download
memory/1620-721-0x00000259B73F0000-0x00000259B7428000-memory.dmp

Filesize
224KB

Download
memory/1620-722-0x00000259B72F0000-0x00000259B72FE000-memory.dmp

Filesize
56KB

Download
memory/1620-723-0x00000259BA540000-0x00000259BA590000-memory.dmp

Filesize
320KB

Download
memory/1620-724-0x00000259BA640000-0x00000259BA6EA000-memory.dmp

Filesize
680KB

Download
memory/1620-725-0x00000259BA6F0000-0x00000259BA74E000-memory.dmp

Filesize
376KB

Download
memory/1620-728-0x00000259BA520000-0x00000259BA53E000-memory.dmp

Filesize
120KB

Download
memory/1620-729-0x00000259BA590000-0x00000259BA5AC000-memory.dmp

Filesize
112KB

Download
memory/1620-727-0x00000259BA5E0000-0x00000259BA630000-memory.dmp

Filesize
320KB

Download
memory/1620-726-0x00000259BA4F0000-0x00000259BA512000-memory.dmp

Filesize
136KB

Download
memory/1620-730-0x00000259BA850000-0x00000259BA94C000-memory.dmp

Filesize
1008KB

Download
memory/1620-732-0x00000259BA5B0000-0x00000259BA5C2000-memory.dmp

Filesize
72KB

Download
memory/1620-951-0x00000259BC080000-0x00000259BC08A000-memory.dmp

Filesize
40KB

Download
memory/1620-684-0x000002599DFE0000-0x000002599E01C000-memory.dmp

Filesize
240KB

Download
memory/1620-945-0x00000259BBF70000-0x00000259BBF7A000-memory.dmp

Filesize
40KB

Download
memory/1620-772-0x00000259B6110000-0x00000259B61E0000-memory.dmp

Filesize
832KB

Download
memory/1620-777-0x00000259B6060000-0x00000259B6068000-memory.dmp

Filesize
32KB

Download
memory/1620-778-0x00000259B6080000-0x00000259B6088000-memory.dmp

Filesize
32KB

Download
memory/1620-938-0x00000259B6200000-0x00000259B6208000-memory.dmp

Filesize
32KB

Download
memory/1620-937-0x00000259B6210000-0x00000259B6238000-memory.dmp

Filesize
160KB

Download
memory/1620-801-0x00000259B6380000-0x00000259B6388000-memory.dmp

Filesize
32KB

Download
memory/1620-804-0x00000259BA800000-0x00000259BA812000-memory.dmp

Filesize
72KB

Download
memory/2312-170-0x000000000AF70000-0x000000000AFA8000-memory.dmp

Filesize
224KB

Download
memory/2312-184-0x00000000720A0000-0x000000007278E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-162-0x0000000007A50000-0x0000000007AE2000-memory.dmp

Filesize
584KB

Download
memory/2312-821-0x00000000720A0000-0x000000007278E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-161-0x0000000007820000-0x0000000007886000-memory.dmp

Filesize
408KB

Download
memory/2312-160-0x00000000068B0000-0x0000000006C00000-memory.dmp

Filesize
3.3MB

Download
memory/2312-118-0x0000000005C10000-0x0000000005CA4000-memory.dmp

Filesize
592KB

Download
memory/2312-159-0x0000000006880000-0x00000000068A2000-memory.dmp

Filesize
136KB

Download
memory/2312-164-0x0000000007BB0000-0x0000000007C68000-memory.dmp

Filesize
736KB

Download
memory/2312-168-0x0000000007F70000-0x0000000007F78000-memory.dmp

Filesize
32KB

Download
memory/2312-151-0x0000000006590000-0x00000000065A0000-memory.dmp

Filesize
64KB

Download
memory/2312-169-0x0000000007F90000-0x0000000007F98000-memory.dmp

Filesize
32KB

Download
memory/2312-142-0x0000000006180000-0x00000000061A6000-memory.dmp

Filesize
152KB

Download
memory/2312-114-0x0000000005800000-0x0000000005962000-memory.dmp

Filesize
1.4MB

Download
memory/2312-171-0x000000000C740000-0x000000000C748000-memory.dmp

Filesize
32KB

Download
memory/2312-175-0x000000000C6E0000-0x000000000C730000-memory.dmp

Filesize
320KB

Download
memory/2312-176-0x000000000C000000-0x000000000C012000-memory.dmp

Filesize
72KB

Download
memory/2312-163-0x0000000007FF0000-0x00000000084EE000-memory.dmp

Filesize
5.0MB

Download
memory/2312-185-0x0000000005D00000-0x0000000005D10000-memory.dmp

Filesize
64KB

Download
memory/2312-111-0x00000000720A0000-0x000000007278E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-196-0x000000000A830000-0x000000000A83A000-memory.dmp

Filesize
40KB

Download
memory/2312-109-0x0000000000E10000-0x0000000000E78000-memory.dmp

Filesize
416KB

Download
memory/2312-130-0x0000000005BC0000-0x0000000005C10000-memory.dmp

Filesize
320KB

Download
memory/2312-126-0x00000000057F0000-0x00000000057F8000-memory.dmp

Filesize
32KB

Download
memory/2312-147-0x0000000005D00000-0x0000000005D10000-memory.dmp

Filesize
64KB

Download
memory/2312-146-0x0000000005DA0000-0x0000000005DA8000-memory.dmp

Filesize
32KB

Download
memory/2312-197-0x000000000BFA0000-0x000000000BFC2000-memory.dmp

Filesize
136KB

Download
memory/2312-138-0x0000000006130000-0x0000000006142000-memory.dmp

Filesize
72KB

Download
memory/2312-134-0x00000000061F0000-0x00000000062A2000-memory.dmp

Filesize
712KB

Download
memory/2312-122-0x0000000005DB0000-0x0000000005EAC000-memory.dmp

Filesize
1008KB

Download
memory/3432-963-0x00000241B6FC0000-0x00000241B6FCA000-memory.dmp

Filesize
40KB

Download
memory/3432-960-0x00000241B7700000-0x00000241B772A000-memory.dmp

Filesize
168KB

Download
memory/3432-958-0x00000241B7400000-0x00000241B7408000-memory.dmp

Filesize
32KB

Download
memory/3432-959-0x00000241B7410000-0x00000241B7418000-memory.dmp

Filesize
32KB

Download
memory/3432-949-0x00000241B6CD0000-0x00000241B6D0E000-memory.dmp

Filesize
248KB

Download