Analysis Overview
SHA256
2247ebb548c0f485d645b58f065faa53758931d2aed8e4cc33e46af693876531
Threat Level: Shows suspicious behavior
The file 2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:46
Reported
2024-06-12 14:49
Platform
win7-20240508-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\getmac.exe
"getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
Files
\Users\Admin\AppData\Local\Temp\g8G7uITqL0SV2yM.exe
| MD5 | f32908d4944949b7c026a0421ce04879 |
| SHA1 | 54f01696973eb9cc63c5a0a08812c188dd5150df |
| SHA256 | 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f |
| SHA512 | 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
| MD5 | d6baac92ade6ade86ac8b33179c13db8 |
| SHA1 | c2dfc428a02ffc2c3cc293423d38037ea75cfade |
| SHA256 | eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10 |
| SHA512 | 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45 |
C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
| MD5 | 010d94408fd5432563d51e416ba346b3 |
| SHA1 | 0041f1989b67b666ec0f0581f9e6ce0e94b55c55 |
| SHA256 | 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d |
| SHA512 | d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1 |
memory/2824-125-0x0000000000DD0000-0x0000000000E36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
| MD5 | fc32f39277ebbe48d976c9970cdab5dd |
| SHA1 | 2d2e6eafd0d16ec8f577293f4903f2ae3453752f |
| SHA256 | 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8 |
| SHA512 | 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea |
memory/2824-129-0x00000000046D0000-0x0000000004812000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
| MD5 | d4fa5e438ff243a1da462726fb4ea164 |
| SHA1 | 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd |
| SHA256 | fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0 |
| SHA512 | 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b |
memory/2824-133-0x00000000006B0000-0x0000000000718000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
| MD5 | 015ef51b3e50cc182b323524e5296172 |
| SHA1 | f5e8cb54340c3f6f0c4876348193afd04bb10323 |
| SHA256 | 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b |
| SHA512 | 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5 |
memory/2824-137-0x0000000005010000-0x00000000050FA000-memory.dmp
memory/2824-145-0x0000000000BB0000-0x0000000000BD6000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
| MD5 | a6076a6e981bc6c29f270d3919e722e8 |
| SHA1 | 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a |
| SHA256 | 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710 |
| SHA512 | 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720 |
memory/2824-141-0x0000000000720000-0x0000000000728000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
| MD5 | 7ef638cbd3200605fc15e7be7ea9fcb5 |
| SHA1 | 534f6176f10bc79b2655e535b7ac6a4df9f67855 |
| SHA256 | 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a |
| SHA512 | c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373 |
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/2824-155-0x0000000000DC0000-0x0000000000DCE000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
| MD5 | c510b1756eac53c62ba8c7279609357f |
| SHA1 | 953ee732da8c49d2ef97711f5b7220d5e2cea8d6 |
| SHA256 | 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642 |
| SHA512 | 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33 |
memory/2824-149-0x0000000004AF0000-0x0000000004BA0000-memory.dmp
memory/2824-159-0x00000000042E0000-0x00000000042E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | 9a341540899dcc5630886f2d921be78f |
| SHA1 | bab44612721c3dc91ac3d9dfca7c961a3a511508 |
| SHA256 | 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5 |
| SHA512 | 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37 |
memory/2824-165-0x0000000004950000-0x000000000495E000-memory.dmp
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
| MD5 | 2338953ae2ab47de1703f27e872e84ba |
| SHA1 | 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d |
| SHA256 | bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7 |
| SHA512 | 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872 |
\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
| MD5 | ed2315668a0dda422f463d27c8110838 |
| SHA1 | ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe |
| SHA256 | 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa |
| SHA512 | e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7 |
C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\vs_setup_bootstrapper.config
| MD5 | 0e4ebc00f6099b2e065d9015fb53977d |
| SHA1 | 7542e6ecbd4fe9c018f1875126f72159a14369d8 |
| SHA256 | 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828 |
| SHA512 | 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e |
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406121446381180.json
| MD5 | ecd028adc95c8ae1a92db26c5fdedb09 |
| SHA1 | a0b505a8ba954147e33542de25fdbd54ef3c5304 |
| SHA256 | 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3 |
| SHA512 | 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6 |
memory/2824-175-0x0000000004CD0000-0x0000000004CDA000-memory.dmp
memory/2824-176-0x0000000004CD0000-0x0000000004CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\87c6c59d0a9dce05ab461081adc6ca44\vs_bootstrapper_d15\detection.json
| MD5 | 782f4beae90d11351db508f38271eb26 |
| SHA1 | f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c |
| SHA256 | c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9 |
| SHA512 | 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4 |
memory/2824-179-0x0000000004CD0000-0x0000000004CDA000-memory.dmp
memory/2824-178-0x0000000004CD0000-0x0000000004CDA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:46
Reported
2024-06-12 14:49
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c4d59ece857bbbe28963ec7c8a004b7_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe
C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\getmac.exe
"getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\XeI0xN5dhAXY6YJ.exe
| MD5 | f32908d4944949b7c026a0421ce04879 |
| SHA1 | 54f01696973eb9cc63c5a0a08812c188dd5150df |
| SHA256 | 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f |
| SHA512 | 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 2c0629a79e9a3e860df8fc14fc93ce25 |
| SHA1 | 833336b174dfc708f177c93ce99b8c17850b1f15 |
| SHA256 | ac27f429d78bccfdea78b9d0c8dd2808598d8ea6b0503a3c5fdcdd5168c5d806 |
| SHA512 | c098c0703a9c264cc55176bd920287f3a73e477ee7df18ac27d9d75b29df584ceb81fe2c1800aa7e63bd3de6c4aec1f5fe8dad4aecac8ecf0833288110a763e0 |
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
| MD5 | d6baac92ade6ade86ac8b33179c13db8 |
| SHA1 | c2dfc428a02ffc2c3cc293423d38037ea75cfade |
| SHA256 | eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10 |
| SHA512 | 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45 |
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
| MD5 | 010d94408fd5432563d51e416ba346b3 |
| SHA1 | 0041f1989b67b666ec0f0581f9e6ce0e94b55c55 |
| SHA256 | 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d |
| SHA512 | d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1 |
memory/2192-141-0x000000007339E000-0x000000007339F000-memory.dmp
memory/2192-143-0x0000000000EF0000-0x0000000000F56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
| MD5 | fc32f39277ebbe48d976c9970cdab5dd |
| SHA1 | 2d2e6eafd0d16ec8f577293f4903f2ae3453752f |
| SHA256 | 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8 |
| SHA512 | 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea |
memory/2192-147-0x0000000005B10000-0x0000000005C52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
| MD5 | d4fa5e438ff243a1da462726fb4ea164 |
| SHA1 | 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd |
| SHA256 | fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0 |
| SHA512 | 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b |
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
| MD5 | 015ef51b3e50cc182b323524e5296172 |
| SHA1 | f5e8cb54340c3f6f0c4876348193afd04bb10323 |
| SHA256 | 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b |
| SHA512 | 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5 |
memory/2192-151-0x0000000005DD0000-0x0000000005E38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
| MD5 | a6076a6e981bc6c29f270d3919e722e8 |
| SHA1 | 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a |
| SHA256 | 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710 |
| SHA512 | 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720 |
memory/2192-160-0x0000000005D70000-0x0000000005D78000-memory.dmp
memory/2192-164-0x0000000005E40000-0x0000000005E66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
| MD5 | 7ef638cbd3200605fc15e7be7ea9fcb5 |
| SHA1 | 534f6176f10bc79b2655e535b7ac6a4df9f67855 |
| SHA256 | 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a |
| SHA512 | c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373 |
memory/2192-156-0x0000000005F30000-0x000000000601A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/2192-169-0x0000000006390000-0x0000000006440000-memory.dmp
memory/2192-173-0x0000000005F10000-0x0000000005F1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
| MD5 | c510b1756eac53c62ba8c7279609357f |
| SHA1 | 953ee732da8c49d2ef97711f5b7220d5e2cea8d6 |
| SHA256 | 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642 |
| SHA512 | 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33 |
memory/2192-168-0x0000000073390000-0x0000000073B40000-memory.dmp
memory/2192-177-0x00000000062F0000-0x00000000062F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | 9a341540899dcc5630886f2d921be78f |
| SHA1 | bab44612721c3dc91ac3d9dfca7c961a3a511508 |
| SHA256 | 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5 |
| SHA512 | 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37 |
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
| MD5 | 2338953ae2ab47de1703f27e872e84ba |
| SHA1 | 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d |
| SHA256 | bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7 |
| SHA512 | 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872 |
memory/2192-181-0x0000000006780000-0x000000000678E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
| MD5 | ed2315668a0dda422f463d27c8110838 |
| SHA1 | ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe |
| SHA256 | 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa |
| SHA512 | e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7 |
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406121446376432.json
| MD5 | ecd028adc95c8ae1a92db26c5fdedb09 |
| SHA1 | a0b505a8ba954147e33542de25fdbd54ef3c5304 |
| SHA256 | 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3 |
| SHA512 | 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6 |
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\vs_setup_bootstrapper.config
| MD5 | 0e4ebc00f6099b2e065d9015fb53977d |
| SHA1 | 7542e6ecbd4fe9c018f1875126f72159a14369d8 |
| SHA256 | 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828 |
| SHA512 | 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e |
memory/2192-189-0x0000000006970000-0x0000000006992000-memory.dmp
memory/2192-190-0x00000000069A0000-0x0000000006CF4000-memory.dmp
memory/2192-191-0x0000000007870000-0x00000000078D6000-memory.dmp
memory/2192-192-0x0000000007AB0000-0x0000000007B42000-memory.dmp
memory/2192-193-0x0000000008100000-0x00000000086A4000-memory.dmp
memory/2192-194-0x00000000086B0000-0x000000000876A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736a17e73ac281609454f481\vs_bootstrapper_d15\detection.json
| MD5 | 782f4beae90d11351db508f38271eb26 |
| SHA1 | f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c |
| SHA256 | c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9 |
| SHA512 | 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4 |
memory/2192-196-0x00000000080E0000-0x00000000080E8000-memory.dmp
memory/2192-197-0x000000000A9F0000-0x000000000A9F8000-memory.dmp
memory/2192-198-0x000000000AAB0000-0x000000000AAE8000-memory.dmp
memory/2192-199-0x000000000AA80000-0x000000000AA8E000-memory.dmp
memory/2192-200-0x000000007339E000-0x000000007339F000-memory.dmp
memory/2192-201-0x0000000073390000-0x0000000073B40000-memory.dmp