Malware Analysis Report

2024-11-30 06:32

Sample ID 240612-r5jkwasfkl
Target 2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware
SHA256 2247ebb548c0f485d645b58f065faa53758931d2aed8e4cc33e46af693876531
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2247ebb548c0f485d645b58f065faa53758931d2aed8e4cc33e46af693876531

Threat Level: Shows suspicious behavior

The file 2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:46

Reported

2024-06-12 14:49

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
PID 1792 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 1792 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 1792 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 1792 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2228 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2824 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2824 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2824 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2824 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe

C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\getmac.exe

"getmac"

Network

Country Destination Domain Proto
US 8.8.8.8:53 az700632.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp

Files

\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe

MD5 f32908d4944949b7c026a0421ce04879
SHA1 54f01696973eb9cc63c5a0a08812c188dd5150df
SHA256 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f
SHA512 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

MD5 d6baac92ade6ade86ac8b33179c13db8
SHA1 c2dfc428a02ffc2c3cc293423d38037ea75cfade
SHA256 eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10
SHA512 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45

C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

MD5 010d94408fd5432563d51e416ba346b3
SHA1 0041f1989b67b666ec0f0581f9e6ce0e94b55c55
SHA256 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d
SHA512 d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1

memory/2824-125-0x0000000000DD0000-0x0000000000E36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

MD5 fc32f39277ebbe48d976c9970cdab5dd
SHA1 2d2e6eafd0d16ec8f577293f4903f2ae3453752f
SHA256 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8
SHA512 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea

memory/2824-129-0x00000000046D0000-0x0000000004812000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

MD5 d4fa5e438ff243a1da462726fb4ea164
SHA1 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd
SHA256 fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0
SHA512 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b

memory/2824-133-0x00000000006B0000-0x0000000000718000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

MD5 015ef51b3e50cc182b323524e5296172
SHA1 f5e8cb54340c3f6f0c4876348193afd04bb10323
SHA256 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b
SHA512 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5

memory/2824-137-0x0000000005010000-0x00000000050FA000-memory.dmp

memory/2824-145-0x0000000000BB0000-0x0000000000BD6000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

MD5 a6076a6e981bc6c29f270d3919e722e8
SHA1 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a
SHA256 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710
SHA512 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720

memory/2824-141-0x0000000000720000-0x0000000000728000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

MD5 7ef638cbd3200605fc15e7be7ea9fcb5
SHA1 534f6176f10bc79b2655e535b7ac6a4df9f67855
SHA256 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a
SHA512 c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

memory/2824-155-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

MD5 c510b1756eac53c62ba8c7279609357f
SHA1 953ee732da8c49d2ef97711f5b7220d5e2cea8d6
SHA256 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642
SHA512 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33

memory/2824-149-0x0000000004AF0000-0x0000000004BA0000-memory.dmp

memory/2824-159-0x00000000042E0000-0x00000000042E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

MD5 9a341540899dcc5630886f2d921be78f
SHA1 bab44612721c3dc91ac3d9dfca7c961a3a511508
SHA256 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
SHA512 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

memory/2824-165-0x0000000004950000-0x000000000495E000-memory.dmp

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

MD5 2338953ae2ab47de1703f27e872e84ba
SHA1 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d
SHA256 bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7
SHA512 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872

\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

MD5 ed2315668a0dda422f463d27c8110838
SHA1 ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe
SHA256 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa
SHA512 e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7

C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.config

MD5 0e4ebc00f6099b2e065d9015fb53977d
SHA1 7542e6ecbd4fe9c018f1875126f72159a14369d8
SHA256 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828
SHA512 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406121446381180.json

MD5 ecd028adc95c8ae1a92db26c5fdedb09
SHA1 a0b505a8ba954147e33542de25fdbd54ef3c5304
SHA256 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3
SHA512 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6

memory/2824-175-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

memory/2824-176-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\detection.json

MD5 782f4beae90d11351db508f38271eb26
SHA1 f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256 c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA512 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

memory/2824-179-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

memory/2824-178-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:46

Reported

2024-06-12 14:49

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe
PID 3752 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe
PID 3752 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe
PID 3752 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 3752 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 3752 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe C:\Windows\CTS.exe
PID 900 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 900 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 900 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 2192 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2192 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2192 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe

C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\getmac.exe

"getmac"

Network

Country Destination Domain Proto
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp
US 8.8.8.8:53 az667904.vo.msecnd.net udp
US 8.8.8.8:53 az700632.vo.msecnd.net udp

Files

C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe

MD5 f32908d4944949b7c026a0421ce04879
SHA1 54f01696973eb9cc63c5a0a08812c188dd5150df
SHA256 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f
SHA512 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 2c0629a79e9a3e860df8fc14fc93ce25
SHA1 833336b174dfc708f177c93ce99b8c17850b1f15
SHA256 ac27f429d78bccfdea78b9d0c8dd2808598d8ea6b0503a3c5fdcdd5168c5d806
SHA512 c098c0703a9c264cc55176bd920287f3a73e477ee7df18ac27d9d75b29df584ceb81fe2c1800aa7e63bd3de6c4aec1f5fe8dad4aecac8ecf0833288110a763e0

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

MD5 d6baac92ade6ade86ac8b33179c13db8
SHA1 c2dfc428a02ffc2c3cc293423d38037ea75cfade
SHA256 eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10
SHA512 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

MD5 010d94408fd5432563d51e416ba346b3
SHA1 0041f1989b67b666ec0f0581f9e6ce0e94b55c55
SHA256 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d
SHA512 d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1

memory/2192-141-0x000000007339E000-0x000000007339F000-memory.dmp

memory/2192-143-0x0000000000EF0000-0x0000000000F56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

MD5 fc32f39277ebbe48d976c9970cdab5dd
SHA1 2d2e6eafd0d16ec8f577293f4903f2ae3453752f
SHA256 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8
SHA512 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea

memory/2192-147-0x0000000005B10000-0x0000000005C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

MD5 d4fa5e438ff243a1da462726fb4ea164
SHA1 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd
SHA256 fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0
SHA512 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

MD5 015ef51b3e50cc182b323524e5296172
SHA1 f5e8cb54340c3f6f0c4876348193afd04bb10323
SHA256 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b
SHA512 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5

memory/2192-151-0x0000000005DD0000-0x0000000005E38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

MD5 a6076a6e981bc6c29f270d3919e722e8
SHA1 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a
SHA256 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710
SHA512 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720

memory/2192-160-0x0000000005D70000-0x0000000005D78000-memory.dmp

memory/2192-164-0x0000000005E40000-0x0000000005E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

MD5 7ef638cbd3200605fc15e7be7ea9fcb5
SHA1 534f6176f10bc79b2655e535b7ac6a4df9f67855
SHA256 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a
SHA512 c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373

memory/2192-156-0x0000000005F30000-0x000000000601A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

memory/2192-169-0x0000000006390000-0x0000000006440000-memory.dmp

memory/2192-173-0x0000000005F10000-0x0000000005F1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

MD5 c510b1756eac53c62ba8c7279609357f
SHA1 953ee732da8c49d2ef97711f5b7220d5e2cea8d6
SHA256 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642
SHA512 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33

memory/2192-168-0x0000000073390000-0x0000000073B40000-memory.dmp

memory/2192-177-0x00000000062F0000-0x00000000062F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

MD5 9a341540899dcc5630886f2d921be78f
SHA1 bab44612721c3dc91ac3d9dfca7c961a3a511508
SHA256 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
SHA512 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

MD5 2338953ae2ab47de1703f27e872e84ba
SHA1 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d
SHA256 bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7
SHA512 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872

memory/2192-181-0x0000000006780000-0x000000000678E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

MD5 ed2315668a0dda422f463d27c8110838
SHA1 ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe
SHA256 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa
SHA512 e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406121446376432.json

MD5 ecd028adc95c8ae1a92db26c5fdedb09
SHA1 a0b505a8ba954147e33542de25fdbd54ef3c5304
SHA256 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3
SHA512 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.config

MD5 0e4ebc00f6099b2e065d9015fb53977d
SHA1 7542e6ecbd4fe9c018f1875126f72159a14369d8
SHA256 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828
SHA512 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e

memory/2192-189-0x0000000006970000-0x0000000006992000-memory.dmp

memory/2192-190-0x00000000069A0000-0x0000000006CF4000-memory.dmp

memory/2192-191-0x0000000007870000-0x00000000078D6000-memory.dmp

memory/2192-192-0x0000000007AB0000-0x0000000007B42000-memory.dmp

memory/2192-193-0x0000000008100000-0x00000000086A4000-memory.dmp

memory/2192-194-0x00000000086B0000-0x000000000876A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\detection.json

MD5 782f4beae90d11351db508f38271eb26
SHA1 f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256 c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA512 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

memory/2192-196-0x00000000080E0000-0x00000000080E8000-memory.dmp

memory/2192-197-0x000000000A9F0000-0x000000000A9F8000-memory.dmp

memory/2192-198-0x000000000AAB0000-0x000000000AAE8000-memory.dmp

memory/2192-199-0x000000000AA80000-0x000000000AA8E000-memory.dmp

memory/2192-200-0x000000007339E000-0x000000007339F000-memory.dmp

memory/2192-201-0x0000000073390000-0x0000000073B40000-memory.dmp