Analysis Overview
SHA256
a590373ca9461d4b1bd22bd22e0fe58151a81640982f96dc470644172e6bfdce
Threat Level: Shows suspicious behavior
The file 2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:48
Reported
2024-06-11 17:51
Platform
win7-20240221-en
Max time kernel
133s
Max time network
141s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\getmac.exe
"getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 152.199.19.161:443 | az667904.vo.msecnd.net | tcp |
| US | 152.199.19.161:443 | az667904.vo.msecnd.net | tcp |
| US | 152.199.19.161:443 | az667904.vo.msecnd.net | tcp |
| US | 152.199.19.161:443 | az667904.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | vortex.data.microsoft.com | udp |
| US | 104.208.16.90:443 | vortex.data.microsoft.com | tcp |
| US | 104.208.16.90:443 | vortex.data.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
| MD5 | f32908d4944949b7c026a0421ce04879 |
| SHA1 | 54f01696973eb9cc63c5a0a08812c188dd5150df |
| SHA256 | 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f |
| SHA512 | 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
| MD5 | d6baac92ade6ade86ac8b33179c13db8 |
| SHA1 | c2dfc428a02ffc2c3cc293423d38037ea75cfade |
| SHA256 | eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10 |
| SHA512 | 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45 |
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
| MD5 | 010d94408fd5432563d51e416ba346b3 |
| SHA1 | 0041f1989b67b666ec0f0581f9e6ce0e94b55c55 |
| SHA256 | 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d |
| SHA512 | d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1 |
memory/2680-127-0x0000000000980000-0x00000000009E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
| MD5 | fc32f39277ebbe48d976c9970cdab5dd |
| SHA1 | 2d2e6eafd0d16ec8f577293f4903f2ae3453752f |
| SHA256 | 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8 |
| SHA512 | 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea |
memory/2680-131-0x0000000004950000-0x0000000004A92000-memory.dmp
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
| MD5 | d4fa5e438ff243a1da462726fb4ea164 |
| SHA1 | 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd |
| SHA256 | fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0 |
| SHA512 | 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b |
memory/2680-135-0x0000000001DF0000-0x0000000001E58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
| MD5 | 015ef51b3e50cc182b323524e5296172 |
| SHA1 | f5e8cb54340c3f6f0c4876348193afd04bb10323 |
| SHA256 | 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b |
| SHA512 | 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5 |
memory/2680-139-0x0000000004B30000-0x0000000004C1A000-memory.dmp
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
| MD5 | 7ef638cbd3200605fc15e7be7ea9fcb5 |
| SHA1 | 534f6176f10bc79b2655e535b7ac6a4df9f67855 |
| SHA256 | 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a |
| SHA512 | c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373 |
memory/2680-143-0x00000000004C0000-0x00000000004C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
| MD5 | a6076a6e981bc6c29f270d3919e722e8 |
| SHA1 | 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a |
| SHA256 | 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710 |
| SHA512 | 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720 |
memory/2680-147-0x0000000001E60000-0x0000000001E86000-memory.dmp
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/2680-151-0x00000000054D0000-0x0000000005580000-memory.dmp
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
| MD5 | c510b1756eac53c62ba8c7279609357f |
| SHA1 | 953ee732da8c49d2ef97711f5b7220d5e2cea8d6 |
| SHA256 | 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642 |
| SHA512 | 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33 |
memory/2680-157-0x0000000000580000-0x000000000058E000-memory.dmp
memory/2680-161-0x0000000001EB0000-0x0000000001EB8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | 9a341540899dcc5630886f2d921be78f |
| SHA1 | bab44612721c3dc91ac3d9dfca7c961a3a511508 |
| SHA256 | 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5 |
| SHA512 | 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37 |
memory/2680-167-0x0000000001F80000-0x0000000001F8E000-memory.dmp
\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
| MD5 | 2338953ae2ab47de1703f27e872e84ba |
| SHA1 | 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d |
| SHA256 | bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7 |
| SHA512 | 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872 |
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
| MD5 | ed2315668a0dda422f463d27c8110838 |
| SHA1 | ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe |
| SHA256 | 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa |
| SHA512 | e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7 |
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.config
| MD5 | 0e4ebc00f6099b2e065d9015fb53977d |
| SHA1 | 7542e6ecbd4fe9c018f1875126f72159a14369d8 |
| SHA256 | 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828 |
| SHA512 | 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e |
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.json
| MD5 | ecd028adc95c8ae1a92db26c5fdedb09 |
| SHA1 | a0b505a8ba954147e33542de25fdbd54ef3c5304 |
| SHA256 | 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3 |
| SHA512 | 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6 |
memory/2680-177-0x0000000004E30000-0x0000000004E3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\detection.json
| MD5 | 782f4beae90d11351db508f38271eb26 |
| SHA1 | f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c |
| SHA256 | c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9 |
| SHA512 | 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4 |
C:\ProgramData\Microsoft Visual Studio\prpbg.dat.bak
| MD5 | 5a744a5ad32e332c65a85ccd710020d8 |
| SHA1 | 57fc4a7fd698a70dc328207526f85393cf955cfd |
| SHA256 | fc9d00569c460fd79154821923a4dcb0063f60db6c709200b81a72f852d990bf |
| SHA512 | a7ba98cd076ef0f4793cc61c7c77a1df265642443b7183279de737b993024c342e7f25cee45ea9bb57ce21e537e271f16dff83ab383a9e2b6a18434e45c3d8e5 |
memory/2680-191-0x0000000004E30000-0x0000000004E3A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20240611174910_6eb765ecddff496ead63e9cbcf545b30.trn
| MD5 | 0f1727cff83bc38330e7d7190c1b8d1a |
| SHA1 | 9c77e4d84c4c32894dc4bc49e994d420a8a908d4 |
| SHA256 | ac165ece4d76ddc48ac0247e7e5990def8abca530b87d56f773a89266ac9d051 |
| SHA512 | ea17b976bb5539ce7480ac598ba06626593db42990315b44b76ee6be99220384a8887590c1a019b85f2f12d0583109df944afe96c912a322926cacbe65b654ba |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:48
Reported
2024-06-11 17:50
Platform
win10v2004-20240508-en
Max time kernel
43s
Max time network
52s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe
C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\getmac.exe
"getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe
| MD5 | f32908d4944949b7c026a0421ce04879 |
| SHA1 | 54f01696973eb9cc63c5a0a08812c188dd5150df |
| SHA256 | 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f |
| SHA512 | 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 7971556d965eb7960a3ff88ca67af8e3 |
| SHA1 | e441f17f873b265940f6cb6f412c7228e14c751f |
| SHA256 | 252f769ee13c215cc93e1befd286b6cfa1f9f7a5f245c734edaea36c13d22715 |
| SHA512 | c84c0dbe4cff902a6fb71ae9693c29e1ef1c9f2c126e04f6ac49b783a42120fe905f5401d3901e607d0db45ea5ac3acd1cd943f7ad978057c221801e4ee3aa01 |
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
| MD5 | d6baac92ade6ade86ac8b33179c13db8 |
| SHA1 | c2dfc428a02ffc2c3cc293423d38037ea75cfade |
| SHA256 | eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10 |
| SHA512 | 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45 |
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
| MD5 | 010d94408fd5432563d51e416ba346b3 |
| SHA1 | 0041f1989b67b666ec0f0581f9e6ce0e94b55c55 |
| SHA256 | 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d |
| SHA512 | d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1 |
memory/3652-141-0x000000007361E000-0x000000007361F000-memory.dmp
memory/3652-143-0x0000000000360000-0x00000000003C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
| MD5 | fc32f39277ebbe48d976c9970cdab5dd |
| SHA1 | 2d2e6eafd0d16ec8f577293f4903f2ae3453752f |
| SHA256 | 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8 |
| SHA512 | 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea |
memory/3652-147-0x0000000004CE0000-0x0000000004E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
| MD5 | d4fa5e438ff243a1da462726fb4ea164 |
| SHA1 | 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd |
| SHA256 | fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0 |
| SHA512 | 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b |
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
| MD5 | 015ef51b3e50cc182b323524e5296172 |
| SHA1 | f5e8cb54340c3f6f0c4876348193afd04bb10323 |
| SHA256 | 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b |
| SHA512 | 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5 |
memory/3652-151-0x0000000005120000-0x0000000005188000-memory.dmp
memory/3652-155-0x0000000005280000-0x000000000536A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
| MD5 | 7ef638cbd3200605fc15e7be7ea9fcb5 |
| SHA1 | 534f6176f10bc79b2655e535b7ac6a4df9f67855 |
| SHA256 | 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a |
| SHA512 | c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373 |
memory/3652-159-0x0000000004CC0000-0x0000000004CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
| MD5 | a6076a6e981bc6c29f270d3919e722e8 |
| SHA1 | 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a |
| SHA256 | 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710 |
| SHA512 | 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720 |
memory/3652-163-0x00000000050E0000-0x0000000005106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/3652-167-0x00000000056A0000-0x0000000005750000-memory.dmp
memory/3652-168-0x0000000073610000-0x0000000073DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
| MD5 | c510b1756eac53c62ba8c7279609357f |
| SHA1 | 953ee732da8c49d2ef97711f5b7220d5e2cea8d6 |
| SHA256 | 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642 |
| SHA512 | 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33 |
memory/3652-172-0x00000000055F0000-0x00000000055FE000-memory.dmp
memory/3652-176-0x0000000005620000-0x0000000005628000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | 9a341540899dcc5630886f2d921be78f |
| SHA1 | bab44612721c3dc91ac3d9dfca7c961a3a511508 |
| SHA256 | 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5 |
| SHA512 | 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37 |
memory/3652-180-0x00000000059B0000-0x00000000059BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
| MD5 | 2338953ae2ab47de1703f27e872e84ba |
| SHA1 | 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d |
| SHA256 | bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7 |
| SHA512 | 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872 |
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
| MD5 | ed2315668a0dda422f463d27c8110838 |
| SHA1 | ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe |
| SHA256 | 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa |
| SHA512 | e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7 |
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.config
| MD5 | 0e4ebc00f6099b2e065d9015fb53977d |
| SHA1 | 7542e6ecbd4fe9c018f1875126f72159a14369d8 |
| SHA256 | 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828 |
| SHA512 | 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e |
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406111748262896.json
| MD5 | ecd028adc95c8ae1a92db26c5fdedb09 |
| SHA1 | a0b505a8ba954147e33542de25fdbd54ef3c5304 |
| SHA256 | 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3 |
| SHA512 | 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6 |
memory/3652-188-0x0000000005BA0000-0x0000000005BC2000-memory.dmp
memory/3652-189-0x0000000005BD0000-0x0000000005F24000-memory.dmp
memory/3652-190-0x0000000006480000-0x00000000064E6000-memory.dmp
memory/3652-191-0x0000000006D80000-0x0000000006E3A000-memory.dmp
memory/3652-192-0x0000000006FE0000-0x0000000007072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\detection.json
| MD5 | 782f4beae90d11351db508f38271eb26 |
| SHA1 | f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c |
| SHA256 | c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9 |
| SHA512 | 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4 |
memory/3652-194-0x0000000007630000-0x0000000007BD4000-memory.dmp
memory/3652-195-0x00000000074A0000-0x00000000074A8000-memory.dmp
memory/3652-196-0x000000000A3A0000-0x000000000A3A8000-memory.dmp
memory/3652-197-0x000000000ACF0000-0x000000000AD28000-memory.dmp
memory/3652-198-0x000000000A180000-0x000000000A18E000-memory.dmp
memory/3652-199-0x000000007361E000-0x000000007361F000-memory.dmp
memory/3652-200-0x0000000073610000-0x0000000073DC0000-memory.dmp