asyncrat | 66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
Size

9.7MB
MD5

fc76cc73d03473b15ebd3c8d10178690
SHA1

1b80580e5e4a48546d1fae6a606731ed767370b1
SHA256

66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769
SHA512

2b5305a28a9db127d971b1511de7ac43c94eccdeb65b51fad1ad15f7250903db5564a999c6c6948a0f0dbdf4326b12d5bfa4d7d4a801d5420e95e8cefa960e12
SSDEEP

49152:GX4ccCjDJiYu7sCJK0G6cfE11tCn+Tql12W88EDH9wm1n77BdEde9SW+iIiJHbQp:G6UZu5G6cf6M+Nb8ETBjwS

Score

10^/10

asyncrat venomrat xred default backdoor discovery macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

104.219.215.160:4449

104.219.215.160:8008

Mutex

jjzxklegwjqz

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 5 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000b000000023b73-190.dat	VenomRAT
behavioral2/files/0x000c000000023b76-211.dat	VenomRAT
behavioral2/memory/4012-325-0x0000000000800000-0x0000000000818000-memory.dmp	VenomRAT
behavioral2/memory/4804-498-0x0000000000400000-0x00000000004D6000-memory.dmp	VenomRAT
behavioral2/memory/4804-536-0x0000000000400000-0x00000000004D6000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b76-211.dat	family_asyncrat

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral2/files/0x000b000000023b56-486.dat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	lshss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	._cache_lshss.exe

Executes dropped EXE 5 IoCs

pid	Process
3100	lshss.exe
3564	._cache_lshss.exe
4804	Synaptics.exe
4012	._cache_Synaptics.exe
1280	vs_setup_bootstrapper.exe

Loads dropped DLL 21 IoCs

pid	Process
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe
1280	vs_setup_bootstrapper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	lshss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lshss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_lshss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lshss.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5108	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
4012	._cache_Synaptics.exe
4012	._cache_Synaptics.exe
4012	._cache_Synaptics.exe
4012	._cache_Synaptics.exe
4012	._cache_Synaptics.exe
4012	._cache_Synaptics.exe
4012	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
Token: SeDebugPrivilege	4012	._cache_Synaptics.exe
Token: SeRestorePrivilege	4488	dw20.exe
Token: SeBackupPrivilege	4488	dw20.exe
Token: SeBackupPrivilege	4488	dw20.exe
Token: SeBackupPrivilege	4488	dw20.exe
Token: SeDebugPrivilege	1280	vs_setup_bootstrapper.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5108	EXCEL.EXE
5108	EXCEL.EXE
4012	._cache_Synaptics.exe
5108	EXCEL.EXE
5108	EXCEL.EXE
5108	EXCEL.EXE
5108	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4008	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	83
PID 4440 wrote to memory of 4008	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	83
PID 4440 wrote to memory of 4008	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	83
PID 4008 wrote to memory of 3568	4008	csc.exe	85
PID 4008 wrote to memory of 3568	4008	csc.exe	85
PID 4008 wrote to memory of 3568	4008	csc.exe	85
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 4440 wrote to memory of 3100	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	86
PID 3100 wrote to memory of 3564	3100	lshss.exe	87
PID 3100 wrote to memory of 3564	3100	lshss.exe	87
PID 3100 wrote to memory of 3564	3100	lshss.exe	87
PID 3100 wrote to memory of 4804	3100	lshss.exe	88
PID 3100 wrote to memory of 4804	3100	lshss.exe	88
PID 3100 wrote to memory of 4804	3100	lshss.exe	88
PID 4804 wrote to memory of 4012	4804	Synaptics.exe	89
PID 4804 wrote to memory of 4012	4804	Synaptics.exe	89
PID 4440 wrote to memory of 4488	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	90
PID 4440 wrote to memory of 4488	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	90
PID 4440 wrote to memory of 4488	4440	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	90
PID 3564 wrote to memory of 1280	3564	._cache_lshss.exe	91
PID 3564 wrote to memory of 1280	3564	._cache_lshss.exe	91
PID 3564 wrote to memory of 1280	3564	._cache_lshss.exe	91
PID 1280 wrote to memory of 804	1280	vs_setup_bootstrapper.exe	94
PID 1280 wrote to memory of 804	1280	vs_setup_bootstrapper.exe	94
PID 1280 wrote to memory of 804	1280	vs_setup_bootstrapper.exe	94

C:\Users\Admin\AppData\Local\Temp\66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
"C:\Users\Admin\AppData\Local\Temp\66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ssnrnkhj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9442.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9441.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Users\Admin\AppData\Roaming\lshss.exe
  C:\Users\Admin\AppData\Roaming\lshss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\getmac.exe
        
        "getmac"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:804
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 912
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
832KB

MD5
bcbb6fd8c5fa588ff1b0299a719cd63b

SHA1
b2808e5b00ffeae5022b97ec78fc6368497c5adf

SHA256
4b7606c7138380ca54e9f6517b6415c3833d7162d18ede2024866f6a6fb41149

SHA512
a3edb6586f0b3d3ad088da1f7b1cddea118dd6a7ed7421960b9a172d75450e9e7d4f169b40441669e2109bbade2170dd1c861d4a8f01711159c2baf4f5d5dafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20241222050301_2cf8996da2194b928b45de8deeb15597.trn

Filesize
6KB

MD5
8b1f6a36a24e5efe0ece642b99498620

SHA1
22efcd8f95bae100292367eb7047e25f70932d20

SHA256
8e00381a83ee3af209ca758cb06a13fbb672ba27f64624ad8fb86bed65e39b64

SHA512
a2e3ec7e6b2aeaea36091afc1411e6e7de3fb833d1933535ccc01c04414b85d9066d128e6d9f469ef8171c0ea1b95b3a7613b3692e34a206890930e723852e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
74KB

MD5
8ce78f483110d74e5eff82f76e78a0b0

SHA1
ea39826209a5084b5cfbf4a89366856fd330b72d

SHA256
7a573f3735077c7a97662456d8c5f5001559bc6dd2356ff6e4ef92f5e8a9acad

SHA512
69654e33c7ccf5300b92c1e8d4e713671fb0676f01f02e93e500aa62ccd94a96aa6fc2ec9e928b1e8498c7950fa606ba2480bd63a11c379f949d247ff8dc399d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe

Filesize
4.2MB

MD5
508eaf83c6a24782ccd2b6213a3675e9

SHA1
8be90c9786bfc34ed0e7e5b1614be4a8848bf040

SHA256
bd8ed33822c22b49ace81b7b69bc2d2089cd950a432298a5194007e6b750abf0

SHA512
60f1fe5c3a478c7c68778f3573335cd54fee36de21927418d2dd8bfe82fc9ab9cb5bb9e0251d622a99c073451b04b15c05c3732ffe6dacbfc4dfd612fa71f238

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9442.tmp

Filesize
1KB

MD5
c357f48b0755ad41e9c2b2c2e4827d8b

SHA1
1abb0cda3949c08afc2b2abdd8f6a9d5f12b9c39

SHA256
3877bcc95c65ecb16707c7fb9acddf496627ab818ba3a6ce4048eeddcf012d89

SHA512
71fd571580a8a49dca6f421b5718e7e1cc3c33b82771de91994a1a8718c5f4a18cb148ea59517b413d35a448d5099f1daf1996710d476e51d4c36be65a88bbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
19KB

MD5
3374eab90af5842f1f07c1f60e74441f

SHA1
5c7f58d46e19713e785351ae0f17086071b9a881

SHA256
f1ae5d2c81ebb819706682b0b7ce311eb19162f1ec51fdffee2f469e283f68c5

SHA512
0d66a8ebebb6d2df8772089cb829ac038a929d7ba3ef82c5ea221f972777279929b982504b612931d4e52ea44ac6d12c48c06e07d26ae7942125e0020bd84c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
115KB

MD5
49ddd4d8c73e5bce6ca296524f4ad7dc

SHA1
962778dac5a91ecbaa717495939ef1296ecd9bd0

SHA256
6d4f14a228a1c02fcc9eb8004828ba83a4a582359438af979d096b8c12b27319

SHA512
f544be13f34da6a79db960e3ece66c47a5ae7db98485d52afad19e49a661640801f0d159afc0ad735b7af27df30906c71ab65ca2bc85209985db7f35bf812b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
580KB

MD5
04775edbc8687663870e4236d0ee1ebe

SHA1
e508a323371be598aaabb6a7142258f1197f7e00

SHA256
a34e047e3957f51b993bd1f2819a37f67545f6b49f335575d8ca819dece3cd67

SHA512
9ff5b16797651c9ef4af4fb5d9d38c8f25d2e996770db7289bba12ad468b028074393f7fbd10ad0a1fc4601196d17b10086ffcb53edf28c60ddfe0dbb28adc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
307KB

MD5
8533bebaa025a397f10e588324494e97

SHA1
93c30a4bb46c59451bf4b02662bc282f1984ed6c

SHA256
1675c894fb208e6412e017854b835144a2fe55a8ebbde1f2b4b14bfe4cfbc821

SHA512
cb12809a3a7590d50f900197ef2752e181ee9d1f6d163293e78a754de4952e7405a7c70ff94c12659502134be64968741f04e8ad804c9d62b61c36ea237bf5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.4MB

MD5
2a001dc022ee695ebd293494fc9febd4

SHA1
d5426adbc98ac17e468e3bd7e97c8b8f3ccc6624

SHA256
ba2a7ce28aeaa0e052b196006cd24e8672fe4dfefb56485f203ef1a614e67d0b

SHA512
95ee5863bb8fcf6b0959e41040f5d29d508b35f782a6f40f83723291f9e295cf179254ff5e79bcea4046884ffcb07b415d53f4b37d2ac1695db899e5063ca959

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
989KB

MD5
812e35d00498b49bdb36b1c5c832b601

SHA1
6754bd78dd97fe0cf8a4a4d4e9e3850a6c296336

SHA256
181c4de1cf0721243d58ebbce905ab3c2c255ec70455a9b59420d6bcbe5e5aa9

SHA512
248166bc45fefc6ad43a4262b9d47174ba06f997addb6da6d6b799e3bd04891ee50f95171670e01f33fa1374b4874bf80a12dd2eac401fb9c7feb916555be096

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
60KB

MD5
bbe6955b4695866de27bb1c1822a25ed

SHA1
adfa2f33e22fd852bf20f396ab8b908e772c1d5a

SHA256
b6f38af430ff17e9ce5721affdbb361cc8a35f7f4a81a1a03c7a4710ea2da124

SHA512
14c1ea1dcf6e3e98e79eed2fd2f5d79eeed48ae52992309ed8e68e0c3d62d3d761b3f103093d6ca8e48cff945a1f42e80eccf7b43eae828c5413edf47aab8864

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
705KB

MD5
dc926df28065a5d355ad64107f7302a8

SHA1
3dd6bb9c69726eaa05cf198f5e0b7c14e03cda4c

SHA256
5ef06959f1d3355c4f15fbcc2aad17a31740dbdc74284bfd2dca6a7d651bc14d

SHA512
8745575c9099ab6a046098814c8135a1b85e61d8d73c6aaf9f41f04206624f0b625e1a4c73e1fb6f430d625080b7a8dada5119dc98a79a13f4807899b10a591e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\detection.json

Filesize
8KB

MD5
782f4beae90d11351db508f38271eb26

SHA1
f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

SHA256
c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

SHA512
0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\vs_setup_bootstrapper.config

Filesize
622B

MD5
7e33107c12a0c94f66037befc9c178db

SHA1
2c2e2e0421d35e3d957713185c7a76294016da80

SHA256
8ef6c3878a85787f60bf7cac10325f603b5c41e98b65df018f454e4564d4ac47

SHA512
ddbca2b52ae7099f6b53058509de8be37ae2221cd1f50470a84a83963fb7a0dbffca6a3c86c68dea80f05f66af69e0c3bc299a483a86f02279856a8e57d853c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
403KB

MD5
2fba884456524b453b0ddc8c422e3013

SHA1
b9e83827457f790e0b89895e1a30ea1b84866c0d

SHA256
9d19fe12134339923d815c4ba0d195d5cb55215427cdfffec7d7da821f416272

SHA512
b0ac2a5ebb5b7e56680e66aa5574bc5f343f879b7698a59286a925c3746357a67bdcc4d20d2394e99195b759542065772708f8c07b471ab862fbf83a1c1100f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
3KB

MD5
6e70f080f0a5f3f052eeb0ce6703dc4d

SHA1
fd5fde5247508b4c4583a75ca020af6e140e23ba

SHA256
7314eb4bf1be5d751eb7a7939921972b7b34b58ce7aac743c82bbdded66f9236

SHA512
1c2f824255bb24ca02e9687ee7367eec4398ee5b84b448edfe00751122bce2ee07afb35a1824649b149b7160c3cb57d2eae2a3f93388a3d998494c129be5709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8473c594cf14b7874\vs_bootstrapper_d15\vs_setup_bootstrapper.json

Filesize
162B

MD5
ad891c3b02a02419dc60db8c273a8315

SHA1
141a08ca0e25d56bdb35fc71e1c767667079114a

SHA256
186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

SHA512
64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rLx1Z9mO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\rLx1Z9mO.xlsm

Filesize
26KB

MD5
eb337fcb3c5a419da40443fc1131f355

SHA1
63a843e04780cfe013dfc256cace1b1cbcce6603

SHA256
76c9007d281096a8664d03d39c935510cffc25549c95745fc93dfda6fe7032de

SHA512
95010e18ee8d5bd3ee449f345e37b87ba6e6bba01aed95fd8dd763185bb66e9673fc8325a068def0b545e65b200e47914ac18805a6a8f8b4bc64709904aa5507

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssnrnkhj.dll

Filesize
5KB

MD5
5c9c28554b723814982dc0051e460833

SHA1
8a6fc0adbd8561715b994378c5fd8a73690a0960

SHA256
20f7f13d19a492d23e6ed8b300d04b2c8328c2faf75a5d0f2303e9644eae56e4

SHA512
57bbd8302c1b67c2e64839ea2b7936db2214c66f895821cf4e351a5d058fbcdae046a4c0a19b36bb7d00975702249bd2a2e9611705fa5cfb31591aa3bd821f13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9441.tmp

Filesize
652B

MD5
1508421e18cb7e9fa5a28e6dce31f098

SHA1
3a5b8f8d9f6458b2d6c6202e7e5fcd4782c7c525

SHA256
dda50336adead261480e684516e5f97f91ce6f89c5689b3bb4a08b9f97a9f6ae

SHA512
1d4c00931b538a2e1b811e9f0fc6f1a13689b3bc8a383f0e6290e432eac23c54e29bf77ed0d63d07690cb661c91442c64b0491cc094c94e2762a6a180b8edbd7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssnrnkhj.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssnrnkhj.cmdline

Filesize
206B

MD5
a3ad5a1ef548f2aebbae7afd8f610ab1

SHA1
d6423f81ff32c0c67e273d9d9c97dc2e16029865

SHA256
36fd7568ad2c8c5c8cdcd4b7f8ec08c43e28353ec58acc04b31327ed9414100a

SHA512
7350a84e662c23816fb79f9e4e2b479af3e97ef4e645c361de4d1be6843d89aa0fc240221838c0dbbb3c44663870e998a138a7d197529d1f283a09f0a7253ca5

Download Submit
memory/1280-386-0x0000000005FE0000-0x00000000060DC000-memory.dmp

Filesize
1008KB

Download
memory/1280-435-0x0000000006BA0000-0x0000000006EF4000-memory.dmp

Filesize
3.3MB

Download
memory/1280-433-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/1280-406-0x0000000006390000-0x00000000063B6000-memory.dmp

Filesize
152KB

Download
memory/1280-382-0x0000000005E40000-0x0000000005ED4000-memory.dmp

Filesize
592KB

Download
memory/1280-425-0x0000000006740000-0x0000000006750000-memory.dmp

Filesize
64KB

Download
memory/1280-376-0x0000000005A30000-0x0000000005B9A000-memory.dmp

Filesize
1.4MB

Download
memory/1280-439-0x00000000073C0000-0x000000000747A000-memory.dmp

Filesize
744KB

Download
memory/1280-440-0x0000000007580000-0x00000000075E6000-memory.dmp

Filesize
408KB

Download
memory/1280-402-0x0000000005FB0000-0x0000000005FC4000-memory.dmp

Filesize
80KB

Download
memory/1280-443-0x000000000A640000-0x000000000A6D2000-memory.dmp

Filesize
584KB

Download
memory/1280-444-0x000000000AE90000-0x000000000B434000-memory.dmp

Filesize
5.6MB

Download
memory/1280-446-0x000000000A0B0000-0x000000000A0B8000-memory.dmp

Filesize
32KB

Download
memory/1280-372-0x0000000000FF0000-0x0000000001058000-memory.dmp

Filesize
416KB

Download
memory/1280-390-0x00000000059F0000-0x00000000059F8000-memory.dmp

Filesize
32KB

Download
memory/1280-394-0x0000000005DF0000-0x0000000005E40000-memory.dmp

Filesize
320KB

Download
memory/1280-445-0x000000000A050000-0x000000000A058000-memory.dmp

Filesize
32KB

Download
memory/1280-467-0x000000000A740000-0x000000000A74E000-memory.dmp

Filesize
56KB

Download
memory/1280-398-0x0000000006420000-0x00000000064D2000-memory.dmp

Filesize
712KB

Download
memory/1280-410-0x0000000006370000-0x0000000006378000-memory.dmp

Filesize
32KB

Download
memory/1280-466-0x000000000A770000-0x000000000A7A8000-memory.dmp

Filesize
224KB

Download
memory/3100-54-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-46-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-20-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-24-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-26-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-23-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-36-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-32-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-29-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-30-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-38-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-34-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-40-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-42-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-52-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-62-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-44-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-189-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-60-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-63-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3100-58-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-56-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-48-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/3100-50-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/4008-9-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4008-16-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4012-325-0x0000000000800000-0x0000000000818000-memory.dmp

Filesize
96KB

Download
memory/4440-415-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-413-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/4440-414-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/4440-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-536-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4804-498-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5108-417-0x00007FF8869D0000-0x00007FF8869E0000-memory.dmp

Filesize
64KB

Download
memory/5108-419-0x00007FF8869D0000-0x00007FF8869E0000-memory.dmp

Filesize
64KB

Download
memory/5108-418-0x00007FF8869D0000-0x00007FF8869E0000-memory.dmp

Filesize
64KB

Download
memory/5108-421-0x00007FF8848D0000-0x00007FF8848E0000-memory.dmp

Filesize
64KB

Download
memory/5108-420-0x00007FF8869D0000-0x00007FF8869E0000-memory.dmp

Filesize
64KB

Download
memory/5108-434-0x00007FF8848D0000-0x00007FF8848E0000-memory.dmp

Filesize
64KB

Download
memory/5108-416-0x00007FF8869D0000-0x00007FF8869E0000-memory.dmp

Filesize
64KB

Download