Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wdkq3swall
Target 2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware
SHA256 a590373ca9461d4b1bd22bd22e0fe58151a81640982f96dc470644172e6bfdce
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a590373ca9461d4b1bd22bd22e0fe58151a81640982f96dc470644172e6bfdce

Threat Level: Shows suspicious behavior

The file 2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:48

Reported

2024-06-11 17:51

Platform

win7-20240221-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe
PID 2648 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 2648 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 2648 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 2648 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2680 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe

C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\getmac.exe

"getmac"

Network

Country Destination Domain Proto
US 8.8.8.8:53 az700632.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 152.199.19.161:443 az667904.vo.msecnd.net tcp
US 152.199.19.161:443 az667904.vo.msecnd.net tcp
US 152.199.19.161:443 az667904.vo.msecnd.net tcp
US 152.199.19.161:443 az667904.vo.msecnd.net tcp
US 8.8.8.8:53 vortex.data.microsoft.com udp
US 104.208.16.90:443 vortex.data.microsoft.com tcp
US 104.208.16.90:443 vortex.data.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\B39qGZs03TshL9o.exe

MD5 f32908d4944949b7c026a0421ce04879
SHA1 54f01696973eb9cc63c5a0a08812c188dd5150df
SHA256 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f
SHA512 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

MD5 d6baac92ade6ade86ac8b33179c13db8
SHA1 c2dfc428a02ffc2c3cc293423d38037ea75cfade
SHA256 eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10
SHA512 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

MD5 010d94408fd5432563d51e416ba346b3
SHA1 0041f1989b67b666ec0f0581f9e6ce0e94b55c55
SHA256 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d
SHA512 d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1

memory/2680-127-0x0000000000980000-0x00000000009E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

MD5 fc32f39277ebbe48d976c9970cdab5dd
SHA1 2d2e6eafd0d16ec8f577293f4903f2ae3453752f
SHA256 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8
SHA512 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea

memory/2680-131-0x0000000004950000-0x0000000004A92000-memory.dmp

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

MD5 d4fa5e438ff243a1da462726fb4ea164
SHA1 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd
SHA256 fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0
SHA512 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b

memory/2680-135-0x0000000001DF0000-0x0000000001E58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

MD5 015ef51b3e50cc182b323524e5296172
SHA1 f5e8cb54340c3f6f0c4876348193afd04bb10323
SHA256 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b
SHA512 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5

memory/2680-139-0x0000000004B30000-0x0000000004C1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

MD5 7ef638cbd3200605fc15e7be7ea9fcb5
SHA1 534f6176f10bc79b2655e535b7ac6a4df9f67855
SHA256 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a
SHA512 c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373

memory/2680-143-0x00000000004C0000-0x00000000004C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

MD5 a6076a6e981bc6c29f270d3919e722e8
SHA1 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a
SHA256 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710
SHA512 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720

memory/2680-147-0x0000000001E60000-0x0000000001E86000-memory.dmp

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

memory/2680-151-0x00000000054D0000-0x0000000005580000-memory.dmp

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

MD5 c510b1756eac53c62ba8c7279609357f
SHA1 953ee732da8c49d2ef97711f5b7220d5e2cea8d6
SHA256 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642
SHA512 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33

memory/2680-157-0x0000000000580000-0x000000000058E000-memory.dmp

memory/2680-161-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

MD5 9a341540899dcc5630886f2d921be78f
SHA1 bab44612721c3dc91ac3d9dfca7c961a3a511508
SHA256 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
SHA512 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

memory/2680-167-0x0000000001F80000-0x0000000001F8E000-memory.dmp

\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

MD5 2338953ae2ab47de1703f27e872e84ba
SHA1 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d
SHA256 bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7
SHA512 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

MD5 ed2315668a0dda422f463d27c8110838
SHA1 ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe
SHA256 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa
SHA512 e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.config

MD5 0e4ebc00f6099b2e065d9015fb53977d
SHA1 7542e6ecbd4fe9c018f1875126f72159a14369d8
SHA256 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828
SHA512 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\vs_setup_bootstrapper.json

MD5 ecd028adc95c8ae1a92db26c5fdedb09
SHA1 a0b505a8ba954147e33542de25fdbd54ef3c5304
SHA256 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3
SHA512 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6

memory/2680-177-0x0000000004E30000-0x0000000004E3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ca5878efe3ba0a5753b729\vs_bootstrapper_d15\detection.json

MD5 782f4beae90d11351db508f38271eb26
SHA1 f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256 c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA512 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

C:\ProgramData\Microsoft Visual Studio\prpbg.dat.bak

MD5 5a744a5ad32e332c65a85ccd710020d8
SHA1 57fc4a7fd698a70dc328207526f85393cf955cfd
SHA256 fc9d00569c460fd79154821923a4dcb0063f60db6c709200b81a72f852d990bf
SHA512 a7ba98cd076ef0f4793cc61c7c77a1df265642443b7183279de737b993024c342e7f25cee45ea9bb57ce21e537e271f16dff83ab383a9e2b6a18434e45c3d8e5

memory/2680-191-0x0000000004E30000-0x0000000004E3A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20240611174910_6eb765ecddff496ead63e9cbcf545b30.trn

MD5 0f1727cff83bc38330e7d7190c1b8d1a
SHA1 9c77e4d84c4c32894dc4bc49e994d420a8a908d4
SHA256 ac165ece4d76ddc48ac0247e7e5990def8abca530b87d56f773a89266ac9d051
SHA512 ea17b976bb5539ce7480ac598ba06626593db42990315b44b76ee6be99220384a8887590c1a019b85f2f12d0583109df944afe96c912a322926cacbe65b654ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:48

Reported

2024-06-11 17:50

Platform

win10v2004-20240508-en

Max time kernel

43s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe
PID 1620 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe
PID 1620 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe
PID 1620 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 1620 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 1620 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe C:\Windows\CTS.exe
PID 1824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 1824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 1824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 3652 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 3652 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 3652 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331f34d8ab812ec3643ca8ff80f732b4_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe

C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\getmac.exe

"getmac"

Network

Country Destination Domain Proto
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp

Files

C:\Users\Admin\AppData\Local\Temp\BIOK8wevXuZ1kRN.exe

MD5 f32908d4944949b7c026a0421ce04879
SHA1 54f01696973eb9cc63c5a0a08812c188dd5150df
SHA256 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f
SHA512 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 7971556d965eb7960a3ff88ca67af8e3
SHA1 e441f17f873b265940f6cb6f412c7228e14c751f
SHA256 252f769ee13c215cc93e1befd286b6cfa1f9f7a5f245c734edaea36c13d22715
SHA512 c84c0dbe4cff902a6fb71ae9693c29e1ef1c9f2c126e04f6ac49b783a42120fe905f5401d3901e607d0db45ea5ac3acd1cd943f7ad978057c221801e4ee3aa01

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

MD5 d6baac92ade6ade86ac8b33179c13db8
SHA1 c2dfc428a02ffc2c3cc293423d38037ea75cfade
SHA256 eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10
SHA512 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

MD5 010d94408fd5432563d51e416ba346b3
SHA1 0041f1989b67b666ec0f0581f9e6ce0e94b55c55
SHA256 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d
SHA512 d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1

memory/3652-141-0x000000007361E000-0x000000007361F000-memory.dmp

memory/3652-143-0x0000000000360000-0x00000000003C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

MD5 fc32f39277ebbe48d976c9970cdab5dd
SHA1 2d2e6eafd0d16ec8f577293f4903f2ae3453752f
SHA256 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8
SHA512 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea

memory/3652-147-0x0000000004CE0000-0x0000000004E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

MD5 d4fa5e438ff243a1da462726fb4ea164
SHA1 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd
SHA256 fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0
SHA512 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

MD5 015ef51b3e50cc182b323524e5296172
SHA1 f5e8cb54340c3f6f0c4876348193afd04bb10323
SHA256 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b
SHA512 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5

memory/3652-151-0x0000000005120000-0x0000000005188000-memory.dmp

memory/3652-155-0x0000000005280000-0x000000000536A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

MD5 7ef638cbd3200605fc15e7be7ea9fcb5
SHA1 534f6176f10bc79b2655e535b7ac6a4df9f67855
SHA256 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a
SHA512 c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373

memory/3652-159-0x0000000004CC0000-0x0000000004CC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

MD5 a6076a6e981bc6c29f270d3919e722e8
SHA1 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a
SHA256 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710
SHA512 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720

memory/3652-163-0x00000000050E0000-0x0000000005106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

memory/3652-167-0x00000000056A0000-0x0000000005750000-memory.dmp

memory/3652-168-0x0000000073610000-0x0000000073DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

MD5 c510b1756eac53c62ba8c7279609357f
SHA1 953ee732da8c49d2ef97711f5b7220d5e2cea8d6
SHA256 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642
SHA512 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33

memory/3652-172-0x00000000055F0000-0x00000000055FE000-memory.dmp

memory/3652-176-0x0000000005620000-0x0000000005628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

MD5 9a341540899dcc5630886f2d921be78f
SHA1 bab44612721c3dc91ac3d9dfca7c961a3a511508
SHA256 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
SHA512 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

memory/3652-180-0x00000000059B0000-0x00000000059BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

MD5 2338953ae2ab47de1703f27e872e84ba
SHA1 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d
SHA256 bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7
SHA512 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

MD5 ed2315668a0dda422f463d27c8110838
SHA1 ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe
SHA256 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa
SHA512 e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\vs_setup_bootstrapper.config

MD5 0e4ebc00f6099b2e065d9015fb53977d
SHA1 7542e6ecbd4fe9c018f1875126f72159a14369d8
SHA256 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828
SHA512 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406111748262896.json

MD5 ecd028adc95c8ae1a92db26c5fdedb09
SHA1 a0b505a8ba954147e33542de25fdbd54ef3c5304
SHA256 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3
SHA512 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6

memory/3652-188-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

memory/3652-189-0x0000000005BD0000-0x0000000005F24000-memory.dmp

memory/3652-190-0x0000000006480000-0x00000000064E6000-memory.dmp

memory/3652-191-0x0000000006D80000-0x0000000006E3A000-memory.dmp

memory/3652-192-0x0000000006FE0000-0x0000000007072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ada6668fa3a03f69c3be1bfda2a2\vs_bootstrapper_d15\detection.json

MD5 782f4beae90d11351db508f38271eb26
SHA1 f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256 c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA512 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

memory/3652-194-0x0000000007630000-0x0000000007BD4000-memory.dmp

memory/3652-195-0x00000000074A0000-0x00000000074A8000-memory.dmp

memory/3652-196-0x000000000A3A0000-0x000000000A3A8000-memory.dmp

memory/3652-197-0x000000000ACF0000-0x000000000AD28000-memory.dmp

memory/3652-198-0x000000000A180000-0x000000000A18E000-memory.dmp

memory/3652-199-0x000000007361E000-0x000000007361F000-memory.dmp

memory/3652-200-0x0000000073610000-0x0000000073DC0000-memory.dmp