Windows Analysis Report
VisualStudioSetup.exe

Overview

General Information

Sample name:	VisualStudioSetup.exe
Analysis ID:	1446645
MD5:	e81c3dce4ebe9d90c39a0dc4a7782dcf
SHA1:	d55e946462aaecb5371db48a3d21bcba8dcaaeb1
SHA256:	84af88add861a83a58867c92ba1445016c98879400450b1e7f39a815b6ae43b2
Infos:

Detection

PureCrypter

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Detected PureCrypter Trojan

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes or reads registry keys via WMI

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090B697 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,	0_2_0090B697
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090B7E1 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,DecryptFileW,GetLastError,	0_2_0090B7E1
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090C1A3 BCryptOpenAlgorithmProvider,BCryptCreateHash,ReadFile,BCryptHashData,BCryptFinishHash,GetProcessHeap,HeapFree,GetLastError,BCryptDestroyHash,BCryptCloseAlgorithmProvider,	0_2_0090C1A3
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D31E0 CryptQueryObject,__CxxThrowException@8,CryptMsgGetParam,CryptMsgGetParam,lstrcmpA,CryptMsgOpenToDecode,CryptMsgUpdate,__CxxThrowException@8,__CxxThrowException@8,CryptMsgGetParam,CryptMsgGetParam,__CxxThrowException@8,CertNameToStrW,CertNameToStrW,__CxxThrowException@8,lstrcmpA,CryptDecodeObject,CryptDecodeObject,__CxxThrowException@8,	2_2_6C6D31E0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D43F0 CryptMsgClose,	2_2_6C6D43F0

Uses 32bit PE files

Source: VisualStudioSetup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File created: C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt

Jump to behavior

Source: VisualStudioSetup.exe

Static PE information: certificate valid

Source: VisualStudioSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\s\_builds\windows-x64\msalruntime\bin\RelWithDebInfo\msalruntime.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Interop\obj\Release\net472\Microsoft.C2RSignatureReader.Interop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479193886.0000000005112000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.C2RSignatureReader.Interop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Native\bin\Release\Win32\Microsoft.C2RSignatureReader.Native.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4496447586.000000006C6E2000.00000002.00000001.01000000.00000011.sdmp, Microsoft.C2RSignatureReader.Native.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdbSHA256J source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb7 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Download\obj\Release\net472\Microsoft.VisualStudio.Setup.Download.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb* source: VisualStudioSetup.exe
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\bin\RelWithDebInfo\msalruntime_x86.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb source: VisualStudioSetup.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Common\obj\Release\net472\Microsoft.VisualStudio.Setup.Common.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480495615.0000000005442000.00000002.00000001.01000000.00000008.sdmp, Microsoft.VisualStudio.Setup.Common.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\VSInstallerElevationRequestService.Contracts\obj\Release\net472\VSInstallerElevationService.Contracts.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, VSInstallerElevationService.Contracts.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup\obj\Release\net472\Microsoft.VisualStudio.Setup.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbSHA256x source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdbSHA256{v source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdbSHA256so source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdbSHA256Hw[ source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-arm64\msalruntime\bin\RelWithDebInfo\msalruntime_arm64.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090CAD9 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,	0_2_0090CAD9
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090EB72 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,	0_2_0090EB72
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092A58A FindFirstFileExW,	0_2_0092A58A
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6DA1EA FindFirstFileExW,	2_2_6C6DA1EA

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.vs_setup_bootstrapper.exe.53f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll, type: DROPPED

Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://169.254.169.254/metadata/identity/oauth2/token
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr	String found in binary or memory: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://micros
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://169.254.169.254/metadata/instance/compute/location
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://aka.ms/msal-net-iwa
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://aka.ms/valid-authorities
Source: Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: http://aka.ms/vs/setup/layout/errors/missingpackages)
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issuewsdl:definitionswsp:PolicyxmlUnable
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds:mustUnderstandwss
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdwsu:Expireswsse:Use
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdJurn:oasis:names:t
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e11290.dspg.akamaiedge.net
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e11290.dspg.akamaiedge.netd
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/httpsoap12:bindingFound
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/httpsoapActiontransportsoap12:bindingAssociated
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/IssueBuilding
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuehttp://schemas.xmlsoap.org/ws/2005/05/identity/NoPr
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMEX
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueWhttp://schemas.xmlsoap.org/ws/2005/02/trustsht
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuehttp://docs.oasis-open.org/ws-sx/ws-trust/20051
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trusthttp://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyOhttp://schemas.xmlsoap.org/wsdl/soap12/)===
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://targetednotifications-tm.trafficmanager.net
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://targetednotifications-tm.trafficmanager.netd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://waws-prod-mwh-053-6a6c.westus2.cloudapp.azure.com
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://waws-prod-mwh-053-6a6c.westus2.cloudapp.azure.comd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: http://www.tagvault.org/tv_extensions.xsd
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000000.2039840885.00000000005F2000.00000002.00000001.01000000.00000005.sdmp, vs_setup_bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/Brokered-Authentication-for-Android.
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/D
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/VSSetupErrorReports?q=
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/VSSetupErrorReports?q=InstallerUpdateLoop
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000000.2039840885.00000000005F2000.00000002.00000001.01000000.00000005.sdmp, vs_setup_bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/VSSetupErrorReports?q=InstallerUpdateLoop-InstallVersionHelpLinkUhttps://aka.ms/vs/in
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/adal_token_cache_serialization.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-brokers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-brokers.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-client-apps
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-interactive-android
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-2-released)
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3-breaking-changes
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3-breaking-changes.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change).
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-changea
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-4x-cache-breaking-change
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-4x-cache-breaking-changeZ
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-application-configuration
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-application-configuration.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-authority-override
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-b2c
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-brokers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-cca-token-cache-serialization
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-cca-token-cache-serialization.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-client-credentials
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-client-credentials.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-custom-instance-metadata
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-custom-web-ui.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-device-code-flow
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-enable-keychain-access
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-enable-keychain-groups
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-experimental-features
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-invalid-client
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-ios-13-broker
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-ios-broker.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-iwa
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-iwa-troubleshooting
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-logging.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-long-running-obo
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-os-browser
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-os-browser.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-pop
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-pop.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-region-discovery
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-ropc
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-signed-assertion.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-system-browsers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-telemetry.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-telemetry.M
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-throttling.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-throttling.JNo
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-token-cache-serialization
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-up
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-up.
Source: Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam#parent-window-handles
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam#troubleshooting
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam#wam-limitations
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-webview2
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-xamarin
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net/ccsRouting.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-statemismatcherror
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/net-cache-persistence-errors.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/
Source: VisualStudioSetup.exe, 00000000.00000003.2036722456.0000000004C87000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2036581027.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2037300636.0000000004C67000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.json.0.dr, vs_setup_bootstrapper_202405231229282350.json.2.dr	String found in binary or memory: https://aka.ms/vs/17/release/channel
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.config.0.dr, dd_bootstrapper_20240523122858.log.2.dr	String found in binary or memory: https://aka.ms/vs/17/release/installer
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/arm
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/arm/DriveAccessibilityCheckmPrecheck:
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/arm64SSU
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/arm64SSU5BackgroundDownloadPrecheck
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/channels
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/channels3packageProgressCollection
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/cleanup
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000000.2039840885.00000000005F2000.00000002.00000001.01000000.00000005.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/vs/config/v2/
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/install/latest/installer
Source: vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/installer/latest/feed
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/installer/latest/feed)latestInstaller.json
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vsinstallation-webview2)
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.msa/msal-net-3x-cache-breaking-change
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net
Source: vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://az667904.vo.msecnd.net/pub-v
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C1B4000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C10C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C1B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json-
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarker
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarkerE
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarkerd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarkerq
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsonC:
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsonLMEM
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net:443/pub/Default/v2/dyntelconfig.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.netD
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net
Source: Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://az700632.vo.msecnd.net/pub
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json)
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C192000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarker
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarkerG
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarkerd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarkero
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json1&
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json5
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonA
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonC:
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonE
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonLMEM
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonP
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonX&
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonn
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonv&9
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net:443/pub/RemoteSettings/RemoteSettings_Installer.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.netD
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackWDequeueAndSend:
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/CommonInternalUtilities
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VSRemoteControl
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VSRemoteControlR
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VSTelemetryAPI
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://enterpriseregistration.windows.net/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnetf
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet7
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-library-for-dotnetq
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b4919
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: VisualStudioSetup.exe	String found in binary or memory: https://go.m
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
Source: Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common/&Authentication-Info
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common/-invalid_authority_type=Unsupported
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclient3urn:ietf:wg:oauth:2.0:oob
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/commonSetCorrelationIdd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumersinvalidEnvfailedaadinvalidCodemissingWindowHandleservice:
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumersinvalidEnvwinrtExceptionsucceededinvalidCodemissingWindow
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumerssucceededwinrtExceptionmissingWindowHandleinvalidCodeIsFe
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/dsts/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com=https://login.chinacloudapi.cnAhttps://login.microsoftonline.deAht
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: https://login.windows.localAbi_GetAllAccountsUnexpected
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr	String found in binary or memory: https://login.windows.localAbi_GetDefaultAccountProviderUnexpected
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: https://login.windows.localAbi_RequestTokenInteractivelyAsyncException
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://marketplace.visualstudio.com
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://sso2urn:ietf:wg:oauth:2.0:oobxhttps://login.microsoftonline.com/common/oauth2/nativeclient
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.net
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.net/api/values
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.net/api/valuesd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.netD
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://visualstudio-devdiv-c2s.msedge.net/ab
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://visualstudio-devdiv-c2s.msedge.net/ab(DisabledFlights.json
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Microsoft.Identity.Client.Extensions.Msal/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Microsoft.Identity.Client/
Source: Microsoft.Identity.Client.dll.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_009328E0	0_2_009328E0
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00925036	0_2_00925036
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091A042	0_2_0091A042
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00928171	0_2_00928171
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092D218	0_2_0092D218
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092539B	0_2_0092539B
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_009184B3	0_2_009184B3
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00924CA8	0_2_00924CA8
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092CD90	0_2_0092CD90
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_059665AB	2_2_059665AB
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_059B5C52	2_2_059B5C52
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A233B9	2_2_05A233B9
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A26998	2_2_05A26998
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A23276	2_2_05A23276
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D31E0	2_2_6C6D31E0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6E05CF	2_2_6C6E05CF
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_00F72218	2_2_00F72218
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E64A1	2_2_060E64A1
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E4E88	2_2_060E4E88
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06200040	2_2_06200040
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0620BCF8	2_2_0620BCF8
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06208B90	2_2_06208B90
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0620A888	2_2_0620A888
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0620A380	2_2_0620A380
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06200007	2_2_06200007
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_062010E1	2_2_062010E1
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06200B81	2_2_06200B81
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0683BE38	2_2_0683BE38
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0683CA70	2_2_0683CA70
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A25D9D	2_2_05A25D9D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: String function: 00933038 appears 55 times
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: String function: 0090DCD9 appears 36 times
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: String function: 0091E5D0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: String function: 6C6D5420 appears 34 times

Sample file is different than original file name gathered from version info

Source: VisualStudioSetup.exe	Binary or memory string: OriginalFilename vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.exe< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.C2RSignatureReader.Interop.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.C2RSignatureReader.Native.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.Broker.dllp( vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.dllb! vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.Extensions.Msal.dllt* vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.NativeInterop.dllp( vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.IdentityModel.Abstractions.dllP vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.RemoteControl.dllT vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Setup.Common.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Setup.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Setup.Download.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Telemetry.dllb! vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Utilities.Internal.dllt* vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2036722456.0000000004C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000000.2012918430.000000000093B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsalruntime.dll8 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsalruntime.dll8 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2036581027.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsalruntime.dll8 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.CompilerServices.Unsafe.dll@ vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVSInstallerElevationService.Contracts.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000002.4471206571.000000000093B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2037300636.0000000004C67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2013386833.0000000004BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe

Uses 32bit PE files

Source: VisualStudioSetup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: sus28.troj.evad.winEXE@7/78@0/0

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090E573 FormatMessageW,GetLastError,LocalFree,

0_2_0090E573

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dyntelconfig[1].cache

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\55F58BAB-BDB9-47D5-B85E-B4D8234E8FAA
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\7BCAEF5B-E7EA-428D-84AF-105BCD4D93FC-RemoteSettings_Installer-json
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: \Sessions\1\BaseNamedObjects\_675531BB6E734D2F846AB8511A8963FD_C:_Users_user_AppData_Local_Microsoft_VSApplicationInsights_vstelf3e86b4023cc43f0be495508d51f588a

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File created: C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt

Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Command line argument: temp

0_2_00909219

Source: VisualStudioSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/installer/latest/feed
Source: vs_setup_bootstrapper.exe	String found in binary or memory: modify --installPath "
Source: vs_setup_bootstrapper.exe	String found in binary or memory: repair --installPath "
Source: vs_setup_bootstrapper.exe	String found in binary or memory: Non-installable {0}, PlannedAction: {1}.
Source: vs_setup_bootstrapper.exe	String found in binary or memory: uninstall --installPath "
Source: vs_setup_bootstrapper.exe	String found in binary or memory: /online /quiet /norestart /add-package /packagepath:"
Source: vs_setup_bootstrapper.exe	String found in binary or memory: resume --installPath
Source: vs_setup_bootstrapper.exe	String found in binary or memory: --installSessionId {0}
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS-Platform-Installer/
Source: vs_setup_bootstrapper.exe	String found in binary or memory: export-installationconfiguration
Source: vs_setup_bootstrapper.exe	String found in binary or memory: latest-installer-feed-download-error
Source: vs_setup_bootstrapper.exe	String found in binary or memory: create-installershortcut-error
Source: vs_setup_bootstrapper.exe	String found in binary or memory: elevated-install-product
Source: vs_setup_bootstrapper.exe	String found in binary or memory: delete-installershortcut-error
Source: vs_setup_bootstrapper.exe	String found in binary or memory: vs/telemetryapi/manifest/load
Source: vs_setup_bootstrapper.exe	String found in binary or memory: vs/core/extension/installed
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS/TelemetryApi/LoadCommonProps
Source: vs_setup_bootstrapper.exe	String found in binary or memory: S/TelemetryApi/LoadCommonProps
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS/TelemetryApi/Manifest/Load
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS/TelemetryApi/LoadCommonProps/Fault

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File read: C:\Users\user\Desktop\VisualStudioSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VisualStudioSetup.exe "C:\Users\user\Desktop\VisualStudioSetup.exe"
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe "C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\user\Desktop\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\user\Desktop"
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process created: C:\Windows\SysWOW64\getmac.exe "getmac"
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe "C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\user\Desktop\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\user\Desktop"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process created: C:\Windows\SysWOW64\getmac.exe "getmac"	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: microsoft.c2rsignaturereader.native.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: VisualStudioSetup.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: VisualStudioSetup.exe

Static file information: File size 4004568 > 1048576

Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VisualStudioSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: VisualStudioSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\s\_builds\windows-x64\msalruntime\bin\RelWithDebInfo\msalruntime.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Interop\obj\Release\net472\Microsoft.C2RSignatureReader.Interop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479193886.0000000005112000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.C2RSignatureReader.Interop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Native\bin\Release\Win32\Microsoft.C2RSignatureReader.Native.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4496447586.000000006C6E2000.00000002.00000001.01000000.00000011.sdmp, Microsoft.C2RSignatureReader.Native.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdbSHA256J source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb7 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Download\obj\Release\net472\Microsoft.VisualStudio.Setup.Download.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb* source: VisualStudioSetup.exe
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\bin\RelWithDebInfo\msalruntime_x86.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb source: VisualStudioSetup.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Common\obj\Release\net472\Microsoft.VisualStudio.Setup.Common.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480495615.0000000005442000.00000002.00000001.01000000.00000008.sdmp, Microsoft.VisualStudio.Setup.Common.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\VSInstallerElevationRequestService.Contracts\obj\Release\net472\VSInstallerElevationService.Contracts.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, VSInstallerElevationService.Contracts.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup\obj\Release\net472\Microsoft.VisualStudio.Setup.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbSHA256x source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdbSHA256{v source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdbSHA256so source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdbSHA256Hw[ source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-arm64\msalruntime\bin\RelWithDebInfo\msalruntime_arm64.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr

Binary contains a suspicious time stamp

Source: vs_setup_bootstrapper.exe.0.dr

Static PE information: 0x8DB2A9C3 [Tue May 2 00:05:23 2045 UTC]

PE file contains sections with non-standard names

Source: VisualStudioSetup.exe

Static PE information: section name: .boxld01

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00933001 push ecx; ret	0_2_00933014
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00903C7D push esi; ret	0_2_00903C86
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_053F5803 push es; retn 0002h	2_2_053F5957
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_059652A5 push 0000002Fh; ret	2_2_05965306
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05963F66 push 0000006Fh; retn 0000h	2_2_059640AC
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060D4550 push 00000012h; ret	2_2_060D4742
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D5466 push ecx; ret	2_2_6C6D5479
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6E0CE3 push ecx; ret	2_2_6C6E0CF6
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_053EBBE9 pushad ; ret	2_2_053EBBEA
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E4520 pushfd ; iretd	2_2_060E4529
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060EC590 push es; ret	2_2_060EC5A0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E4CE0 pushfd ; iretd	2_2_060E4CED
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E9DA1 push es; ret	2_2_060E9DB0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060EB840 push es; ret	2_2_060EB850
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_061BC647 pushfd ; ret	2_2_061BC739
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_061B53E0 push es; ret	2_2_061B53F0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0683E503 pushad ; retf	2_2_0683E509

Drops PE files

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\fr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Extensions.Msal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x86\native\msalruntime_x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.NativeInterop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ja\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pt-BR\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\cs\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hans\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Broker.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ru\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\de\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\it\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hant\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\tr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\es\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\VSInstallerElevationService.Contracts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ko\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pl\vs_setup_bootstrapper.resources.dll	Jump to dropped file

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File created: C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Memory allocated: F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Code function: 2_2_05965E18 rdtsc

2_2_05965E18

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Window / User API: threadDelayed 5142			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Window / User API: threadDelayed 4536			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\fr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Extensions.Msal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x86\native\msalruntime_x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.NativeInterop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ja\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pt-BR\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\cs\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hans\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Broker.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ru\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\de\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\it\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hant\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\es\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\tr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\VSInstallerElevationService.Contracts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ko\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pl\vs_setup_bootstrapper.resources.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

API coverage: 6.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe TID: 4524	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe TID: 3596	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe TID: 3596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version,SerialNumber from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product from Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090CAD9 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,	0_2_0090CAD9
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090EB72 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,	0_2_0090EB72
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092A58A FindFirstFileExW,	0_2_0092A58A
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6DA1EA FindFirstFileExW,	2_2_6C6DA1EA

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_00911284 __EH_prolog3_GS,GetSystemInfo,

0_2_00911284

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: PostVirtualMachineTypeTelemetry
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: InitializeVirtualMachineTypeValue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, getmac.exe, 00000003.00000002.2058331353.0000000003357000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055963306.0000000003356000.00000004.00000020.00020000.00000000.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: Hyper-V
Source: Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: VMware
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq"VS.Core.Machine.VirtualMachineType
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: uTimed out while querying for Hyper-V feature availability.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: SELECT Name FROM Win32_OptionalFeature WHERE Name = 'Microsoft-Hyper-V'
Source: getmac.exe, 00000003.00000003.2055779123.0000000003374000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000002.2060920729.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: getmac.exe, 00000003.00000003.2055779123.0000000003374000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000002.2060920729.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: isVirtualMachine
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: virtualMachineTypeValue
Source: getmac.exe, 00000003.00000002.2058331353.0000000003357000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055963306.0000000003356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: 4Hyper-V is not supported by the current environment.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: IsVirtualMachinePropertyName
Source: getmac.exe, 00000003.00000003.2055709976.0000000003397000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055583804.0000000003391000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport1
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: IsDevBoxAVS.Core.Machine.Processor.FamilyGVS.Core.Machine.Processor.Frequency?VS.Core.Machine.Processor.ModelEVS.Core.Machine.Processor.Stepping;VS.Core.Machine.VM.AzureImage1VS.Core.Win365.PartnerId-VS.Core.Win365.SkuName)VS.Core.Machine.IsVMEVS.Core.Machine.VirtualMachineType]HARDWARE\DESCRIPTION\System\CentralProcessor\0'ProcessorNameStringSSOFTWARE\Microsoft\VisualStudio\Telemetry!AzureVMImageNameNone
Source: Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: vmware-
Source: vs_setup_bootstrapper.exe	Binary or memory string: VS.Core.Machine.VirtualMachineType
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: VirtualMachineTypePropertyName
Source: getmac.exe, 00000003.00000002.2058331353.0000000003357000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055963306.0000000003356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: IsVirtualMachine
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: GetVirtualMachineTypeValue
Source: getmac.exe, 00000003.00000003.2055709976.0000000003397000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055583804.0000000003391000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: NoneRSOFTWARE\Microsoft\VisualStudio\Telemetry8VS.Core.Machine.Architecture(VS.Core.Machine.IsVMDVS.Core.Machine.VirtualMachineType
Source: vs_setup_bootstrapper.exe	Binary or memory string: Unable to query for Hyper-V feature availability: {0}
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: kUnable to query for Hyper-V feature availability: {0}
Source: vs_setup_bootstrapper.exe	Binary or memory string: S.Core.Machine.VirtualMachineType
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: InitializeVirtualMachineType
Source: vs_setup_bootstrapper.exe	Binary or memory string: Timed out while querying for Hyper-V feature availability.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: virtualMachineType

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Code function: 2_2_05965E18 rdtsc

2_2_05965E18

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_00927941 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00927941

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092B82C mov eax, dword ptr fs:[00000030h]	0_2_0092B82C
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00926FA5 mov ecx, dword ptr fs:[00000030h]	0_2_00926FA5
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092B7E8 mov eax, dword ptr fs:[00000030h]	0_2_0092B7E8
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D9D78 mov eax, dword ptr fs:[00000030h]	2_2_6C6D9D78
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D885B mov ecx, dword ptr fs:[00000030h]	2_2_6C6D885B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090C823 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapReAlloc,ReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,RtlFreeHeap,

0_2_0090C823

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00927941 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00927941
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091E257 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0091E257
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091E3F6 SetUnhandledExceptionFilter,	0_2_0091E3F6
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091DC5E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0091DC5E
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D5092 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C6D5092
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D813E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C6D813E
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D5298 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C6D5298

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Detected PureCrypter Trojan

Source: 20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp.2.dr

String found in binary or memory: H4sIAAAAAAAEAO1cbW/bOBL+fsD9h8CfdrGhlu8ijcMBlm3dBte0vTjtArcpCoqiUqGK5JPktEGx//1GsvLSrmO7SVv0blkUjWPPCzkczszzVMmHUWku3Gg8umwCW9UuaE197lqXllWbZ7k1bV6VTWBs/7V21uWXLh0djtq8V6OYcoQlIvKUyDENx4IFUot/g8Slq0GABxhe5/90V/BNNc6YUzLhmDJrOctw4rgWAqtUkEwoZUA2Na0ZjT+MEtO406tl52V+6cp21r1/2L89G0R6F/Twdg8/d3v4eeMefv7jHi6caVa1uwDjTWduWpWte98GM5eZVdEGLxfBtItJtMqL9OnqIundEcEP7xV9XlfWNc1ROhozIvH9gi8aVwdPqvXign+4qlOhlB2OThx8BAsMul0eV6krgnnZ5u3Vwr5xF+alqxtQGY3FRtGFg6CA8GiM73y+cP9ZudK6600wfufDUzjKRQ6fLmDlYHoB8WthMThkggmlQfZ61adDZJ9+lB2TPrLTalWCmt4pvczB9RJeumMIO8E8ZOEupalp3XlVXw1O8C75o9bV/cvOwe+Ho2VdLV3d5m7rQc/fu6fXqfS6ce1q+TqpqrZpa7ME9dH9xwmaNwczYgHBQZcngcRU6i1qR43kUd4OWQOqsSkat0Xh2NhJmtYg/Itp3oCCE1qEiuJMJDyVzjCrQ8YdFyLkVjtj4IKKjNvUYO7SRDumtcxCYUKWKGXD7b7e5KULJjV8bZ1t4a6Ax8nxTPI91LqEHmlqFbizKE1ogngmDdLCpEirhBtqHMb9nb/P1rNFcBtWCCoOiMZcBBRjuVUNglquI7p1rc9NDZd/CP9w9C/zZmWKRbtK82rR5cC++vAlXdn2zoLDLhEY10QGhG9b8GDh01AfgXSxRW0B9QBKg/3UJf5pH6eLt6vrLS8Oov3y/NQVUC/b+gpucbBpwwqcsp8gvbKQKmPC4ORki7m+CvaJQpy1zmiMDAkF4lgkKGEpQThhiTZWJ4nNdhpqjnNbV02VtV3k6tIUe1ypQfXZEorIUbeL03q1U/66Mb0f3GwU77MnuBtZsHABR5Y+6e8VlM1LKNX9/p2yVFCLUUKxQjyBV9omEqksSzKJTYYlfpCXKVzHbmNNa4qib8lbArLT1sXS5Odlv2KKGR5bpxNjuSWpszxNhOJCKlitTZmV1JEHuYFiCkpZfv6kMqnrfKHVEsYCd4BuXxTmqlq1B6jKsgKU4J3bVwX01eKuEKrq/DyHg3pX1W/z8jzNa3gzXwflSS/03LRv4D1XXj50zXbVmqRwk/p8NYwUIx3jqQzDiYhnNJzpKY1DKuEdLXUMnTXmUTylE6KpnLN4LsQkiohWXFI6i8LJ9J7WsWMpcVVb96hzPmrWMRmy5tnyppk+yuhzA/PFpesGlUda+tcqd+0XsPNysU60bmV9oj3c2NPqV5c8ysL1VBTnhQvsG1OWruhv2t2OFECNPYEibL6Ek+W6gPdObkpn8JG7ocZ3I6irl3X+QLf9TLlaDmVzyKu9LR01cf6+P59siO7N8Dpdx+nF+vhsBTXOtlU92jgcrwfVLgbgC8QXK9vPXduEhyVP2uoit5sloS3UruhvSB9KlRKpVGqQ0koinmYcmdAqJELpoJllTKtss6X1oD905T8Clns1hkXeXtSNsrEz3WAxmL8fKm3WHjLhZkDeLLWoVuvqc/MWTAp3RXss14cps8yJ0HEE5RAjbqHlw8AgkHIEU5xarhkZfQRienjS62LJMulShxIZQrvEaYK00zBmpjZVWutU4E53H9zS1ekPZ7ChM/iTX/fJ7hsLCVyVrq6rejiLs9H4t7ORjHQopyxGRIkZ4hHnKIpCgtScRzPM5xOho7PR4RlMv4xPJFMISjtDPJ4JFBESIZjBI42V1FEs1oIimuAwlgjPGEVcY4aUwCFSIVaTMIKRQKtecEKplLGeo2gaT2DfiqIJn8comjPovFEkobf0ghGRcUQwQVJFc3AtI6QnnCHKZoTwmFAyCdeCejbFc7CDScwR5zEI0ukcwZkQJamYQTvqBacTLOJ5qJGedmtUBHbN8RzFaq7najYDqDjrBeeUSxFPCdJ4DrsWlKKIEYJEJMNI0SiOOTsbvTq8jnmXiN1XQOJVC4fdttChh1ArpSHSjKHZnEOoOWUoimGxUznnTE0JgcCBrd93nvUAIHsAOPrt1U55yPbLPHX1kO4bhUa/w5+//uXDl+JQ1CklYxyOmQhUqD2H8p1zKGIPDoVKyHyFQ/VZHMpOeuMxdAjzdIinQzwd4ukQT4d4OsTTIZ4O8XSIp0O+Jh1iLJEm63B+BmWcGwng1nCBWJo5hlWieeg2W/pT0SGECsYMxihMsEGccWj5iTIoSzQjgiRY0m9Gh3x1PN2htuLUNe23A9aMjzEJACl7YP2dA2u5F7DmIeaEk6/6cIJiePfjD48B48SDcQ/GPRj3YNyDcQ/GPRj3YNyDcQ/GvyYYl4oaygjUcgCIiMvuv621MYgkBOYxzEJG/bMJAKhFErLMZYhzniKYWWEsTI1DOlNSZ4ZJkSb+2QT/bMKf5dkESk4xGcNfQQMl/LMJ3zuFEu5BoXCudSiw2PnDF9/u2QTu6RBPh3g6xNMhng7xdIinQzwd4ukQT4d8TTokUwpTanQHzkPECQmRTphEYQpvQFU0LPN0CBRHzaRSSiJrMggT1gIpKh0iaWiIggE1xNw/m/AgYM1OMR8TOeYwjlHlgfV3DqzVHsBaMs5DzKj8foC18MDaA2sPrD2w9sDaA2sPrD2w9sDaA+uvCaypDTUlMkVwxQExWi6QNkIhSQnPDJRIpqQH1iNMYTylVKIMm6T7HQgEaZhbkDBSZAQGWUJCD6w3AetlXnfYrIGrY91yOPAt4Foy8l2C6437+H8E2HHvpQevz7LZ6mLZnAwbTz/G3PeodNV6X5X5dSyDefeEzLTvkghKj6SMYaW2qB6b9yduWdVt89zVw3UbQtT9LsFtmnm5cLYq0yZy

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_009097A6 SetEnvironmentVariableW,GetLastError,SetEnvironmentVariableW,GetLastError,SetEnvironmentVariableW,GetLastError,SetEnvironmentVariableW,GetLastError,SetEnvironmentVariableW,GetLastError,ExpandEnvironmentStringsW,GetLastError,ExpandEnvironmentStringsW,CoInitializeEx,ShellExecuteExW,GetProcessId,Sleep,WaitForSingleObject,GetExitCodeProcess,CloseHandle,

0_2_009097A6

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe "C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\user\Desktop\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\user\Desktop"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process created: C:\Windows\SysWOW64\getmac.exe "getmac"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0091E62B cpuid

0_2_0091E62B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXmlLinq\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXmlLinq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_631515a6268b4bc5adba92a40c352661.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_631515a6268b4bc5adba92a40c352661.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_c12eac8f38804f6bb862d19c21f1fcfe.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_c12eac8f38804f6bb862d19c21f1fcfe.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_6c47a1a998644fd49bfd1efaf289c838.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_6c47a1a998644fd49bfd1efaf289c838.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_7d750e310097423c95c14a6bca305e4e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_7d750e310097423c95c14a6bca305e4e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_43ccb07acb9945aa9c8b44353104deb8.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_43ccb07acb9945aa9c8b44353104deb8.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_b3cff21c83bf4353905574a9020524ee.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_b3cff21c83bf4353905574a9020524ee.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_5f3fe5b349b74f4c8f0b9c89bf97638f.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_5f3fe5b349b74f4c8f0b9c89bf97638f.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090DC5D GetLocalTime,

0_2_0090DC5D

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090E656 GetTimeZoneInformation,GetSystemTime,SystemTimeToTzSpecificLocalTime,GetSystemTime,

0_2_0090E656

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090D9AF GetVersionExW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsWow64Process,IsWow64Process,GetLastError,

0_2_0090D9AF

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Code function: 2_2_6C6D16B0 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ,__ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

2_2_6C6D16B0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090B697 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,	0_2_0090B697
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090B7E1 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,DecryptFileW,GetLastError,	0_2_0090B7E1
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090C1A3 BCryptOpenAlgorithmProvider,BCryptCreateHash,ReadFile,BCryptHashData,BCryptFinishHash,GetProcessHeap,HeapFree,GetLastError,BCryptDestroyHash,BCryptCloseAlgorithmProvider,	0_2_0090C1A3
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D31E0 CryptQueryObject,__CxxThrowException@8,CryptMsgGetParam,CryptMsgGetParam,lstrcmpA,CryptMsgOpenToDecode,CryptMsgUpdate,__CxxThrowException@8,__CxxThrowException@8,CryptMsgGetParam,CryptMsgGetParam,__CxxThrowException@8,CertNameToStrW,CertNameToStrW,__CxxThrowException@8,lstrcmpA,CryptDecodeObject,CryptDecodeObject,__CxxThrowException@8,	2_2_6C6D31E0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D43F0 CryptMsgClose,	2_2_6C6D43F0

Uses 32bit PE files

Source: VisualStudioSetup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File created: C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt

Jump to behavior

Source: VisualStudioSetup.exe

Static PE information: certificate valid

Source: VisualStudioSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\s\_builds\windows-x64\msalruntime\bin\RelWithDebInfo\msalruntime.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Interop\obj\Release\net472\Microsoft.C2RSignatureReader.Interop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479193886.0000000005112000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.C2RSignatureReader.Interop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Native\bin\Release\Win32\Microsoft.C2RSignatureReader.Native.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4496447586.000000006C6E2000.00000002.00000001.01000000.00000011.sdmp, Microsoft.C2RSignatureReader.Native.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdbSHA256J source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb7 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Download\obj\Release\net472\Microsoft.VisualStudio.Setup.Download.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb* source: VisualStudioSetup.exe
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\bin\RelWithDebInfo\msalruntime_x86.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb source: VisualStudioSetup.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Common\obj\Release\net472\Microsoft.VisualStudio.Setup.Common.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480495615.0000000005442000.00000002.00000001.01000000.00000008.sdmp, Microsoft.VisualStudio.Setup.Common.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\VSInstallerElevationRequestService.Contracts\obj\Release\net472\VSInstallerElevationService.Contracts.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, VSInstallerElevationService.Contracts.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup\obj\Release\net472\Microsoft.VisualStudio.Setup.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbSHA256x source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdbSHA256{v source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdbSHA256so source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdbSHA256Hw[ source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-arm64\msalruntime\bin\RelWithDebInfo\msalruntime_arm64.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090CAD9 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,	0_2_0090CAD9
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090EB72 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,	0_2_0090EB72
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092A58A FindFirstFileExW,	0_2_0092A58A
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6DA1EA FindFirstFileExW,	2_2_6C6DA1EA

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.vs_setup_bootstrapper.exe.53f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll, type: DROPPED

Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://169.254.169.254/metadata/identity/oauth2/token
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr	String found in binary or memory: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://micros
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://169.254.169.254/metadata/instance/compute/location
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://aka.ms/msal-net-iwa
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://aka.ms/valid-authorities
Source: Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: http://aka.ms/vs/setup/layout/errors/missingpackages)
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issuewsdl:definitionswsp:PolicyxmlUnable
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds:mustUnderstandwss
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdwsu:Expireswsse:Use
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdJurn:oasis:names:t
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e11290.dspg.akamaiedge.net
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e11290.dspg.akamaiedge.netd
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/httpsoap12:bindingFound
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/httpsoapActiontransportsoap12:bindingAssociated
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, Microsoft.Identity.Client.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/IssueBuilding
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuehttp://schemas.xmlsoap.org/ws/2005/05/identity/NoPr
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMEX
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueWhttp://schemas.xmlsoap.org/ws/2005/02/trustsht
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuehttp://docs.oasis-open.org/ws-sx/ws-trust/20051
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trusthttp://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyOhttp://schemas.xmlsoap.org/wsdl/soap12/)===
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://targetednotifications-tm.trafficmanager.net
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://targetednotifications-tm.trafficmanager.netd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://waws-prod-mwh-053-6a6c.westus2.cloudapp.azure.com
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://waws-prod-mwh-053-6a6c.westus2.cloudapp.azure.comd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: http://www.tagvault.org/tv_extensions.xsd
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000000.2039840885.00000000005F2000.00000002.00000001.01000000.00000005.sdmp, vs_setup_bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/Brokered-Authentication-for-Android.
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/D
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/VSSetupErrorReports?q=
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/VSSetupErrorReports?q=InstallerUpdateLoop
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000000.2039840885.00000000005F2000.00000002.00000001.01000000.00000005.sdmp, vs_setup_bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/VSSetupErrorReports?q=InstallerUpdateLoop-InstallVersionHelpLinkUhttps://aka.ms/vs/in
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/adal_token_cache_serialization.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-brokers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-brokers.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-client-apps
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-interactive-android
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-2-released)
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3-breaking-changes
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3-breaking-changes.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change).
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-changea
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-4x-cache-breaking-change
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-4x-cache-breaking-changeZ
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-application-configuration
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-application-configuration.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-authority-override
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-b2c
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-brokers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-cca-token-cache-serialization
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-cca-token-cache-serialization.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-client-credentials
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-client-credentials.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-custom-instance-metadata
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-custom-web-ui.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-device-code-flow
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-enable-keychain-access
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-enable-keychain-groups
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-experimental-features
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-invalid-client
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-ios-13-broker
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-ios-broker.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-iwa
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-iwa-troubleshooting
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-logging.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-long-running-obo
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-os-browser
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-os-browser.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-pop
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-pop.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-region-discovery
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-ropc
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-signed-assertion.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-system-browsers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-telemetry.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-telemetry.M
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-throttling.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-throttling.JNo
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-token-cache-serialization
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-up
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-up.
Source: Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam#parent-window-handles
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam#troubleshooting
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-wam#wam-limitations
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-webview2
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net-xamarin
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-net/ccsRouting.
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/msal-statemismatcherror
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.ms/net-cache-persistence-errors.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/
Source: VisualStudioSetup.exe, 00000000.00000003.2036722456.0000000004C87000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2036581027.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2037300636.0000000004C67000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.json.0.dr, vs_setup_bootstrapper_202405231229282350.json.2.dr	String found in binary or memory: https://aka.ms/vs/17/release/channel
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.config.0.dr, dd_bootstrapper_20240523122858.log.2.dr	String found in binary or memory: https://aka.ms/vs/17/release/installer
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/arm
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/arm/DriveAccessibilityCheckmPrecheck:
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/arm64SSU
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/arm64SSU5BackgroundDownloadPrecheck
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/channels
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/channels3packageProgressCollection
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/cleanup
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000000.2039840885.00000000005F2000.00000002.00000001.01000000.00000005.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/vs/config/v2/
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/install/latest/installer
Source: vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/installer/latest/feed
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vs/installer/latest/feed)latestInstaller.json
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://aka.ms/vsinstallation-webview2)
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://aka.msa/msal-net-3x-cache-breaking-change
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net
Source: vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://az667904.vo.msecnd.net/pub-v
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C1B4000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C10C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C1B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json-
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarker
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarkerE
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarkerd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json.errormarkerq
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsonC:
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsonLMEM
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.net:443/pub/Default/v2/dyntelconfig.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az667904.vo.msecnd.netD
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net
Source: Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://az700632.vo.msecnd.net/pub
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json)
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C192000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarker
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarkerG
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarkerd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json.errormarkero
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json1&
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.json5
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonA
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonC:
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonE
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4487264572.0000000007CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonLMEM
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonP
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonX&
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonn
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4491281578.000000000C073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonv&9
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net:443/pub/RemoteSettings/RemoteSettings_Installer.jsond
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.netD
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackWDequeueAndSend:
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/CommonInternalUtilities
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VSRemoteControl
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VSRemoteControlR
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VSTelemetryAPI
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://enterpriseregistration.windows.net/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnetf
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet7
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-library-for-dotnetq
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b4919
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: VisualStudioSetup.exe	String found in binary or memory: https://go.m
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
Source: Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common/&Authentication-Info
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common/-invalid_authority_type=Unsupported
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclient3urn:ietf:wg:oauth:2.0:oob
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/commonSetCorrelationIdd
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr, msalruntime_x86.dll.0.dr, msalruntime.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumers
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumersinvalidEnvfailedaadinvalidCodemissingWindowHandleservice:
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumersinvalidEnvwinrtExceptionsucceededinvalidCodemissingWindow
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/consumerssucceededwinrtExceptionmissingWindowHandleinvalidCodeIsFe
Source: Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com/dsts/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://login.microsoftonline.com=https://login.chinacloudapi.cnAhttps://login.microsoftonline.deAht
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr	String found in binary or memory: https://login.windows.localAbi_GetAllAccountsUnexpected
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr	String found in binary or memory: https://login.windows.localAbi_GetDefaultAccountProviderUnexpected
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr	String found in binary or memory: https://login.windows.localAbi_RequestTokenInteractivelyAsyncException
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	String found in binary or memory: https://marketplace.visualstudio.com
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr	String found in binary or memory: https://sso2urn:ietf:wg:oauth:2.0:oobxhttps://login.microsoftonline.com/common/oauth2/nativeclient
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.net
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.net/api/values
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.net/api/valuesd
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://targetednotifications-tm.trafficmanager.netD
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://visualstudio-devdiv-c2s.msedge.net/ab
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	String found in binary or memory: https://visualstudio-devdiv-c2s.msedge.net/ab(DisabledFlights.json
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Microsoft.Identity.Client.Extensions.Msal/
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr, Microsoft.Identity.Client.Broker.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Microsoft.Identity.Client/
Source: Microsoft.Identity.Client.dll.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_009328E0	0_2_009328E0
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00925036	0_2_00925036
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091A042	0_2_0091A042
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00928171	0_2_00928171
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092D218	0_2_0092D218
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092539B	0_2_0092539B
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_009184B3	0_2_009184B3
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00924CA8	0_2_00924CA8
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092CD90	0_2_0092CD90
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_059665AB	2_2_059665AB
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_059B5C52	2_2_059B5C52
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A233B9	2_2_05A233B9
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A26998	2_2_05A26998
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A23276	2_2_05A23276
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D31E0	2_2_6C6D31E0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6E05CF	2_2_6C6E05CF
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_00F72218	2_2_00F72218
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E64A1	2_2_060E64A1
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E4E88	2_2_060E4E88
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06200040	2_2_06200040
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0620BCF8	2_2_0620BCF8
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06208B90	2_2_06208B90
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0620A888	2_2_0620A888
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0620A380	2_2_0620A380
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06200007	2_2_06200007
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_062010E1	2_2_062010E1
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_06200B81	2_2_06200B81
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0683BE38	2_2_0683BE38
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0683CA70	2_2_0683CA70
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05A25D9D	2_2_05A25D9D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: String function: 00933038 appears 55 times
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: String function: 0090DCD9 appears 36 times
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: String function: 0091E5D0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: String function: 6C6D5420 appears 34 times

Sample file is different than original file name gathered from version info

Source: VisualStudioSetup.exe	Binary or memory string: OriginalFilename vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.exe< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.C2RSignatureReader.Interop.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.C2RSignatureReader.Native.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.Broker.dllp( vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.dllb! vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.Extensions.Msal.dllt* vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Identity.Client.NativeInterop.dllp( vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.IdentityModel.Abstractions.dllP vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.RemoteControl.dllT vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Setup.Common.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Setup.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Setup.Download.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Telemetry.dllb! vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.Utilities.Internal.dllt* vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2036722456.0000000004C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000000.2012918430.000000000093B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsalruntime.dll8 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsalruntime.dll8 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2036581027.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsalruntime.dll8 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.CompilerServices.Unsafe.dll@ vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVSInstallerElevationService.Contracts.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000002.4471206571.000000000093B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2037300636.0000000004C67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_setup_bootstrapper.resources.dll< vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe, 00000000.00000003.2013386833.0000000004BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe
Source: VisualStudioSetup.exe	Binary or memory string: OriginalFilenamevs_enterprise.exef# vs VisualStudioSetup.exe

Uses 32bit PE files

Source: VisualStudioSetup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: sus28.troj.evad.winEXE@7/78@0/0

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090E573 FormatMessageW,GetLastError,LocalFree,

0_2_0090E573

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dyntelconfig[1].cache

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\55F58BAB-BDB9-47D5-B85E-B4D8234E8FAA
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\7BCAEF5B-E7EA-428D-84AF-105BCD4D93FC-RemoteSettings_Installer-json
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Mutant created: \Sessions\1\BaseNamedObjects\_675531BB6E734D2F846AB8511A8963FD_C:_Users_user_AppData_Local_Microsoft_VSApplicationInsights_vstelf3e86b4023cc43f0be495508d51f588a

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File created: C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt

Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Command line argument: temp

0_2_00909219

Source: VisualStudioSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vs_setup_bootstrapper.exe	String found in binary or memory: https://aka.ms/vs/installer/latest/feed
Source: vs_setup_bootstrapper.exe	String found in binary or memory: modify --installPath "
Source: vs_setup_bootstrapper.exe	String found in binary or memory: repair --installPath "
Source: vs_setup_bootstrapper.exe	String found in binary or memory: Non-installable {0}, PlannedAction: {1}.
Source: vs_setup_bootstrapper.exe	String found in binary or memory: uninstall --installPath "
Source: vs_setup_bootstrapper.exe	String found in binary or memory: /online /quiet /norestart /add-package /packagepath:"
Source: vs_setup_bootstrapper.exe	String found in binary or memory: resume --installPath
Source: vs_setup_bootstrapper.exe	String found in binary or memory: --installSessionId {0}
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS-Platform-Installer/
Source: vs_setup_bootstrapper.exe	String found in binary or memory: export-installationconfiguration
Source: vs_setup_bootstrapper.exe	String found in binary or memory: latest-installer-feed-download-error
Source: vs_setup_bootstrapper.exe	String found in binary or memory: create-installershortcut-error
Source: vs_setup_bootstrapper.exe	String found in binary or memory: elevated-install-product
Source: vs_setup_bootstrapper.exe	String found in binary or memory: delete-installershortcut-error
Source: vs_setup_bootstrapper.exe	String found in binary or memory: vs/telemetryapi/manifest/load
Source: vs_setup_bootstrapper.exe	String found in binary or memory: vs/core/extension/installed
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS/TelemetryApi/LoadCommonProps
Source: vs_setup_bootstrapper.exe	String found in binary or memory: S/TelemetryApi/LoadCommonProps
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS/TelemetryApi/Manifest/Load
Source: vs_setup_bootstrapper.exe	String found in binary or memory: VS/TelemetryApi/LoadCommonProps/Fault

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File read: C:\Users\user\Desktop\VisualStudioSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VisualStudioSetup.exe "C:\Users\user\Desktop\VisualStudioSetup.exe"
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe "C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\user\Desktop\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\user\Desktop"
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process created: C:\Windows\SysWOW64\getmac.exe "getmac"
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe "C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\user\Desktop\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\user\Desktop"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process created: C:\Windows\SysWOW64\getmac.exe "getmac"	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: microsoft.c2rsignaturereader.native.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: VisualStudioSetup.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: VisualStudioSetup.exe

Static file information: File size 4004568 > 1048576

Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VisualStudioSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VisualStudioSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: VisualStudioSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\s\_builds\windows-x64\msalruntime\bin\RelWithDebInfo\msalruntime.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, msalruntime.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Interop\obj\Release\net472\Microsoft.C2RSignatureReader.Interop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479193886.0000000005112000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.C2RSignatureReader.Interop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\C2RSignatureReader.Native\bin\Release\Win32\Microsoft.C2RSignatureReader.Native.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4496447586.000000006C6E2000.00000002.00000001.01000000.00000011.sdmp, Microsoft.C2RSignatureReader.Native.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482080659.00000000059B2000.00000002.00000001.01000000.0000000E.sdmp, System.Memory.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4482262211.0000000005A22000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdbSHA256J source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb7 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Download\obj\Release\net472\Microsoft.VisualStudio.Setup.Download.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480241119.00000000053F2000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.VisualStudio.Setup.Download.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb* source: VisualStudioSetup.exe
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\bin\RelWithDebInfo\msalruntime_x86.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B1DC000.00000004.00000020.00020000.00000000.sdmp, msalruntime_x86.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\BoxStub\bin\Release\Win32\boxstub.pdb source: VisualStudioSetup.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Bootstrapper\obj\Release\net472\vs_setup_bootstrapper.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup.Common\obj\Release\net472\Microsoft.VisualStudio.Setup.Common.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4480495615.0000000005442000.00000002.00000001.01000000.00000008.sdmp, Microsoft.VisualStudio.Setup.Common.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481054308.00000000055D2000.00000002.00000001.01000000.0000000F.sdmp, System.Runtime.CompilerServices.Unsafe.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\VSInstallerElevationRequestService.Contracts\obj\Release\net472\VSInstallerElevationService.Contracts.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000B37A000.00000004.00000020.00020000.00000000.sdmp, VSInstallerElevationService.Contracts.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\src\Setup\obj\Release\net472\Microsoft.VisualStudio.Setup.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: /_/src/Microsoft.Identity.Client.Extensions.Msal/obj/Release/net45/Microsoft.Identity.Client.Extensions.Msal.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Extensions.Msal.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Utilities.Internal\Release\net45\Microsoft.VisualStudio.Utilities.Internal.pdbSHA256x source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481871499.0000000005962000.00000002.00000001.01000000.0000000D.sdmp, Microsoft.VisualStudio.Utilities.Internal.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client.Broker/obj/Release/net461/Microsoft.Identity.Client.Broker.pdbSHA256 source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.Broker.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.VisualStudio.RemoteControl\Release\net45\Microsoft.VisualStudio.RemoteControl.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4483906144.00000000060D2000.00000002.00000001.01000000.00000010.sdmp, Microsoft.VisualStudio.RemoteControl.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\obj\src\Microsoft.VisualStudio.Telemetry\Release\net45\Microsoft.VisualStudio.Telemetry.pdbSHA256{v source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FB7000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-x86\msalruntime\interop\net\obj\Win32\RelWithDebInfo\net461\Microsoft.Identity.Client.NativeInterop.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.NativeInterop.dll.0.dr
Source:	Binary string: /_/src/client/Microsoft.Identity.Client/obj/Release/net461/Microsoft.Identity.Client.pdbSHA256so source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Identity.Client.dll.0.dr
Source:	Binary string: /_/src/Microsoft.IdentityModel.Abstractions/obj/Release/net472/Microsoft.IdentityModel.Abstractions.pdbSHA256Hw[ source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.IdentityModel.Abstractions.dll.0.dr
Source:	Binary string: D:\a\1\s\_builds\windows-arm64\msalruntime\bin\RelWithDebInfo\msalruntime_arm64.pdb source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000AF9D000.00000004.00000020.00020000.00000000.sdmp, msalruntime_arm64.dll.0.dr

Binary contains a suspicious time stamp

Source: vs_setup_bootstrapper.exe.0.dr

Static PE information: 0x8DB2A9C3 [Tue May 2 00:05:23 2045 UTC]

PE file contains sections with non-standard names

Source: VisualStudioSetup.exe

Static PE information: section name: .boxld01

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00933001 push ecx; ret	0_2_00933014
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00903C7D push esi; ret	0_2_00903C86
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_053F5803 push es; retn 0002h	2_2_053F5957
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_059652A5 push 0000002Fh; ret	2_2_05965306
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_05963F66 push 0000006Fh; retn 0000h	2_2_059640AC
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060D4550 push 00000012h; ret	2_2_060D4742
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D5466 push ecx; ret	2_2_6C6D5479
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6E0CE3 push ecx; ret	2_2_6C6E0CF6
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_053EBBE9 pushad ; ret	2_2_053EBBEA
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E4520 pushfd ; iretd	2_2_060E4529
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060EC590 push es; ret	2_2_060EC5A0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E4CE0 pushfd ; iretd	2_2_060E4CED
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060E9DA1 push es; ret	2_2_060E9DB0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_060EB840 push es; ret	2_2_060EB850
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_061BC647 pushfd ; ret	2_2_061BC739
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_061B53E0 push es; ret	2_2_061B53F0
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_0683E503 pushad ; retf	2_2_0683E509

Drops PE files

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\fr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Extensions.Msal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x86\native\msalruntime_x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.NativeInterop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ja\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pt-BR\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\cs\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hans\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Broker.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ru\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\de\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\it\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hant\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\tr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\es\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\VSInstallerElevationService.Contracts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ko\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pl\vs_setup_bootstrapper.resources.dll	Jump to dropped file

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

File created: C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Memory allocated: F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Code function: 2_2_05965E18 rdtsc

2_2_05965E18

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Window / User API: threadDelayed 5142			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Window / User API: threadDelayed 4536			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\fr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Extensions.Msal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x86\native\msalruntime_x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.NativeInterop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ja\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pt-BR\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\cs\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hans\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Broker.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ru\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\de\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\it\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hant\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\es\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\tr\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\VSInstallerElevationService.Contracts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ko\vs_setup_bootstrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pl\vs_setup_bootstrapper.resources.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

API coverage: 6.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe TID: 4524	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe TID: 3596	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe TID: 3596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version,SerialNumber from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product from Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090CAD9 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,	0_2_0090CAD9
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0090EB72 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,	0_2_0090EB72
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092A58A FindFirstFileExW,	0_2_0092A58A
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6DA1EA FindFirstFileExW,	2_2_6C6DA1EA

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_00911284 __EH_prolog3_GS,GetSystemInfo,

0_2_00911284

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: PostVirtualMachineTypeTelemetry
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: InitializeVirtualMachineTypeValue
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, getmac.exe, 00000003.00000002.2058331353.0000000003357000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055963306.0000000003356000.00000004.00000020.00020000.00000000.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: Hyper-V
Source: Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: VMware
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4474669306.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq"VS.Core.Machine.VirtualMachineType
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: uTimed out while querying for Hyper-V feature availability.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: SELECT Name FROM Win32_OptionalFeature WHERE Name = 'Microsoft-Hyper-V'
Source: getmac.exe, 00000003.00000003.2055779123.0000000003374000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000002.2060920729.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: getmac.exe, 00000003.00000003.2055779123.0000000003374000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000002.2060920729.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: isVirtualMachine
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: virtualMachineTypeValue
Source: getmac.exe, 00000003.00000002.2058331353.0000000003357000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055963306.0000000003356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: 4Hyper-V is not supported by the current environment.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: IsVirtualMachinePropertyName
Source: getmac.exe, 00000003.00000003.2055709976.0000000003397000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055583804.0000000003391000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport1
Source: vs_setup_bootstrapper.exe, 00000002.00000002.4483058233.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: IsDevBoxAVS.Core.Machine.Processor.FamilyGVS.Core.Machine.Processor.Frequency?VS.Core.Machine.Processor.ModelEVS.Core.Machine.Processor.Stepping;VS.Core.Machine.VM.AzureImage1VS.Core.Win365.PartnerId-VS.Core.Win365.SkuName)VS.Core.Machine.IsVMEVS.Core.Machine.VirtualMachineType]HARDWARE\DESCRIPTION\System\CentralProcessor\0'ProcessorNameStringSSOFTWARE\Microsoft\VisualStudio\Telemetry!AzureVMImageNameNone
Source: Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: vmware-
Source: vs_setup_bootstrapper.exe	Binary or memory string: VS.Core.Machine.VirtualMachineType
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: VirtualMachineTypePropertyName
Source: getmac.exe, 00000003.00000002.2058331353.0000000003357000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055963306.0000000003356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: IsVirtualMachine
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: GetVirtualMachineTypeValue
Source: getmac.exe, 00000003.00000003.2055709976.0000000003397000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000003.00000003.2055583804.0000000003391000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: NoneRSOFTWARE\Microsoft\VisualStudio\Telemetry8VS.Core.Machine.Architecture(VS.Core.Machine.IsVMDVS.Core.Machine.VirtualMachineType
Source: vs_setup_bootstrapper.exe	Binary or memory string: Unable to query for Hyper-V feature availability: {0}
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, 00000002.00000002.4479260656.0000000005132000.00000002.00000001.01000000.00000007.sdmp, Microsoft.VisualStudio.Setup.dll.0.dr	Binary or memory string: kUnable to query for Hyper-V feature availability: {0}
Source: vs_setup_bootstrapper.exe	Binary or memory string: S.Core.Machine.VirtualMachineType
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: InitializeVirtualMachineType
Source: vs_setup_bootstrapper.exe	Binary or memory string: Timed out while querying for Hyper-V feature availability.
Source: VisualStudioSetup.exe, 00000000.00000003.2034965309.000000000A7B3000.00000004.00000020.00020000.00000000.sdmp, vs_setup_bootstrapper.exe, vs_setup_bootstrapper.exe, 00000002.00000002.4481181117.00000000055E2000.00000002.00000001.01000000.00000009.sdmp, Microsoft.VisualStudio.Telemetry.dll.0.dr	Binary or memory string: virtualMachineType

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Code function: 2_2_05965E18 rdtsc

2_2_05965E18

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_00927941 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00927941

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092B82C mov eax, dword ptr fs:[00000030h]	0_2_0092B82C
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00926FA5 mov ecx, dword ptr fs:[00000030h]	0_2_00926FA5
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0092B7E8 mov eax, dword ptr fs:[00000030h]	0_2_0092B7E8
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D9D78 mov eax, dword ptr fs:[00000030h]	2_2_6C6D9D78
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D885B mov ecx, dword ptr fs:[00000030h]	2_2_6C6D885B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090C823 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapReAlloc,ReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,RtlFreeHeap,

0_2_0090C823

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_00927941 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00927941
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091E257 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0091E257
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091E3F6 SetUnhandledExceptionFilter,	0_2_0091E3F6
Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Code function: 0_2_0091DC5E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0091DC5E
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D5092 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C6D5092
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D813E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C6D813E
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Code function: 2_2_6C6D5298 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C6D5298

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Detected PureCrypter Trojan

Source: 20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp.2.dr

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

0_2_009097A6

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe "C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\user\Desktop\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\user\Desktop"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Process created: C:\Windows\SysWOW64\getmac.exe "getmac"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0091E62B cpuid

0_2_0091E62B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXmlLinq\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXmlLinq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_631515a6268b4bc5adba92a40c352661.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_631515a6268b4bc5adba92a40c352661.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_c12eac8f38804f6bb862d19c21f1fcfe.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_c12eac8f38804f6bb862d19c21f1fcfe.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_6c47a1a998644fd49bfd1efaf289c838.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_6c47a1a998644fd49bfd1efaf289c838.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_7d750e310097423c95c14a6bca305e4e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_7d750e310097423c95c14a6bca305e4e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_43ccb07acb9945aa9c8b44353104deb8.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_43ccb07acb9945aa9c8b44353104deb8.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_b3cff21c83bf4353905574a9020524ee.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_b3cff21c83bf4353905574a9020524ee.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_5f3fe5b349b74f4c8f0b9c89bf97638f.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_5f3fe5b349b74f4c8f0b9c89bf97638f.trn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090DC5D GetLocalTime,

0_2_0090DC5D

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090E656 GetTimeZoneInformation,GetSystemTime,SystemTimeToTzSpecificLocalTime,GetSystemTime,

0_2_0090E656

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Code function: 0_2_0090D9AF GetVersionExW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsWow64Process,IsWow64Process,GetLastError,

0_2_0090D9AF

Source: C:\Users\user\Desktop\VisualStudioSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

2_2_6C6D16B0

ID:	1446645
Product:	CloudBasic
Start time:	18:28:05
Start date:	23.05.2024
Sample:	VisualStudioSetup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e81c3dce4ebe9d90c39a0dc4a7782dcf
SHA1:	d55e946462aaecb5371db48a3d21bcba8dcaaeb1
SHA256:	84af88add861a83a58867c92ba1445016c98879400450b1e7f39a815b6ae43b2
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202405231229282350.json	JSON data	BB004C2A7E87D3016E3BDCFD6D9F5251	3C984D00B521893B050B3A4DBB0FDDC283D27865	ADCF02F322066AEA210E820D7D344F3A0FED05DF18EBD57C053C5C727F232307
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.tmp	ASCII text, with very long lines (6080), with CRLF line terminators	988E6569A1D634115016D24CE9E8477E	AD2572E95522FE536AB8052ECAFF68463A6A31CA	6F0813E579CC842B258C3BA741085EF41CB2455D1BB416638C6B90C4128019E0
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_24b8e7e77c3c4e358bd5e1de0726ac88.trn (copy)	ASCII text, with very long lines (6080), with CRLF line terminators	988E6569A1D634115016D24CE9E8477E	AD2572E95522FE536AB8052ECAFF68463A6A31CA	6F0813E579CC842B258C3BA741085EF41CB2455D1BB416638C6B90C4128019E0
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240523163000_631515a6268b4bc5adba92a40c352661.trn (copy)	ASCII text, with very long lines (6080), with CRLF line terminators	988E6569A1D634115016D24CE9E8477E	AD2572E95522FE536AB8052ECAFF68463A6A31CA	6F0813E579CC842B258C3BA741085EF41CB2455D1BB416638C6B90C4128019E0
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.tmp	ASCII text, with very long lines (1776), with CRLF line terminators	BAE120CD01F5E1CEB97492645DFE3A56	49F89C2B3831A92AD404ACB48AF8D3C28EF81478	AD1CCDAA87FFC944F750AF7BDC3ED4DC73FB739EFA09C6794FF94DF9B7A4471B
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_98a010cee40f4f95af445d881a41a2d6.trn (copy)	ASCII text, with very long lines (1776), with CRLF line terminators	BAE120CD01F5E1CEB97492645DFE3A56	49F89C2B3831A92AD404ACB48AF8D3C28EF81478	AD1CCDAA87FFC944F750AF7BDC3ED4DC73FB739EFA09C6794FF94DF9B7A4471B
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240525194707_c12eac8f38804f6bb862d19c21f1fcfe.trn (copy)	ASCII text, with very long lines (1776), with CRLF line terminators	BAE120CD01F5E1CEB97492645DFE3A56	49F89C2B3831A92AD404ACB48AF8D3C28EF81478	AD1CCDAA87FFC944F750AF7BDC3ED4DC73FB739EFA09C6794FF94DF9B7A4471B
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_6c47a1a998644fd49bfd1efaf289c838.trn (copy)	ASCII text, with very long lines (5264), with CRLF line terminators	13325C443AC62F9D23C13905C476F7AF	9BFC0EA5DA1F808F22351EBC6664C883984FE568	92B77194A7462637DF9882C55BEBAD14B097FB2FDAE377A14A90F0FB73030852
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.tmp	ASCII text, with very long lines (5264), with CRLF line terminators	13325C443AC62F9D23C13905C476F7AF	9BFC0EA5DA1F808F22351EBC6664C883984FE568	92B77194A7462637DF9882C55BEBAD14B097FB2FDAE377A14A90F0FB73030852
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240607185001_86a9129f4885435c9ed3a73cbce6d3ba.trn (copy)	ASCII text, with very long lines (5264), with CRLF line terminators	13325C443AC62F9D23C13905C476F7AF	9BFC0EA5DA1F808F22351EBC6664C883984FE568	92B77194A7462637DF9882C55BEBAD14B097FB2FDAE377A14A90F0FB73030852
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.tmp	ASCII text, with very long lines (3020), with CRLF line terminators	4181C93DFA8B75A0F6C9AC61D11DD8CC	EE1E5F159CAAB48C1555320E576BBB6001F1B33B	9367ADDC36BFF24C87BBF0F10C7DC30687A81F0DE5A32CA6D5CC63427FE8E4B0
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_3a72124a56384c98b712ff34cb5c41c9.trn (copy)	ASCII text, with very long lines (3020), with CRLF line terminators	4181C93DFA8B75A0F6C9AC61D11DD8CC	EE1E5F159CAAB48C1555320E576BBB6001F1B33B	9367ADDC36BFF24C87BBF0F10C7DC30687A81F0DE5A32CA6D5CC63427FE8E4B0
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240614084043_7d750e310097423c95c14a6bca305e4e.trn (copy)	ASCII text, with very long lines (3020), with CRLF line terminators	4181C93DFA8B75A0F6C9AC61D11DD8CC	EE1E5F159CAAB48C1555320E576BBB6001F1B33B	9367ADDC36BFF24C87BBF0F10C7DC30687A81F0DE5A32CA6D5CC63427FE8E4B0
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_43ccb07acb9945aa9c8b44353104deb8.trn (copy)	ASCII text, with very long lines (1780), with CRLF line terminators	25FFD863969529538481BF79197E9D98	B0D6D870D2ED354DA8355F8990BB38F9BFFF1CDC	5D9EA363BFA8DD488B0ABAF9BCE32F7F7C287AA7C4932068F8D9E3575C96C2F1
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.tmp	ASCII text, with very long lines (1780), with CRLF line terminators	25FFD863969529538481BF79197E9D98	B0D6D870D2ED354DA8355F8990BB38F9BFFF1CDC	5D9EA363BFA8DD488B0ABAF9BCE32F7F7C287AA7C4932068F8D9E3575C96C2F1
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240616161207_6b5e978452e84cb397f54a326fe6931c.trn (copy)	ASCII text, with very long lines (1780), with CRLF line terminators	25FFD863969529538481BF79197E9D98	B0D6D870D2ED354DA8355F8990BB38F9BFFF1CDC	5D9EA363BFA8DD488B0ABAF9BCE32F7F7C287AA7C4932068F8D9E3575C96C2F1
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_b3cff21c83bf4353905574a9020524ee.trn (copy)	ASCII text, with very long lines (3872), with CRLF line terminators	91AC109328A4EE06E90132D6B2450A54	93B53D766A5E97190887D04196199174E373DB8C	34587009056E89E0B4F1F1E16BC0BFCD3AB23972F1E74E38E32ED6A6BA117F55
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.tmp	ASCII text, with very long lines (3872), with CRLF line terminators	91AC109328A4EE06E90132D6B2450A54	93B53D766A5E97190887D04196199174E373DB8C	34587009056E89E0B4F1F1E16BC0BFCD3AB23972F1E74E38E32ED6A6BA117F55
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240623062655_e0da717c5d50411ebf74d5aca452db70.trn (copy)	ASCII text, with very long lines (3872), with CRLF line terminators	91AC109328A4EE06E90132D6B2450A54	93B53D766A5E97190887D04196199174E373DB8C	34587009056E89E0B4F1F1E16BC0BFCD3AB23972F1E74E38E32ED6A6BA117F55
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.tmp	ASCII text, with very long lines (2372), with CRLF line terminators	07C05499C3310799E8841D07DDC4F4CB	7A00999020BAE95B11B2FA949C4CE6D849C1AA7A	573B5D2F6E617D6E4A8C815C11331449E267C95E8E4BB59F8305F082067F5B3E
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_0a458ab2b67549ab921d5e4199c0b68e.trn (copy)	ASCII text, with very long lines (2372), with CRLF line terminators	07C05499C3310799E8841D07DDC4F4CB	7A00999020BAE95B11B2FA949C4CE6D849C1AA7A	573B5D2F6E617D6E4A8C815C11331449E267C95E8E4BB59F8305F082067F5B3E
C:\Users\user\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240625142858_5f3fe5b349b74f4c8f0b9c89bf97638f.trn (copy)	ASCII text, with very long lines (2372), with CRLF line terminators	07C05499C3310799E8841D07DDC4F4CB	7A00999020BAE95B11B2FA949C4CE6D849C1AA7A	573B5D2F6E617D6E4A8C815C11331449E267C95E8E4BB59F8305F082067F5B3E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\RemoteSettings_Installer[1].cache	JSON data	AF65449DB44ECD2FB4F484CA985388B8	38AB6997E0EBC79F47848D0EC59A7D2690F3E407	85ADBB128C2937A1D382E3EFFA7709950CD0743CD52F73FB30055637625CDE75
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\dyntelconfig[1].cache	ASCII text, with very long lines (20426), with no line terminators	0F60C1785BFFFD823FA7E755801B6033	194326CF1C130DBDE80213B95558B806CD524626	798D80699F57507A2875688EABA71C7201DB9315C359414DC509E8BFDEF5C49A
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1028\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	EEAF8CBF54B4E891FF6BE38CF44E3814	7403EA3866651A9CF02C760721FFDDDCA1FCA5C5	AAD5B2ACF30EB9C2DD35FF3B5C6C1A76CC4F1AE0AB6F382A635F5C329439F3AF
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1029\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	432E50F4764D69625E5143571F823B6A	B0A9336CB2C54AA7F65C2CD3856AE17C47AAD751	C877FE7CD9544369A42A61B5C51264D74BFCA5B4BC5D4DD1FA703428261D6ABC
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1031\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	6F489A55562732D253AD828581176A9A	6177FB738ADC650C574D5B29965F3C88AE3518D5	9502AC0910BCEE0EB3123F7B68A605D71C8DF72FE7B33F4173AFB4A01390581A
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1033\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	4F7415E811ACBDDED478B40C3E7B287E	D0ED04C38662F1039C40D9AD247B47DC88C6BE5E	55846D86DBE60B1B663018D72BEFA0F53A61D34A4EB093563B93A41B2FAA34A5
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1036\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	F3F48126539E0BA3A98DD002FD224C3A	BF8079C93203A9778E44785A449A46729BA3C016	7A13A7DA236E87310B88E620520C8DAB78F47210C57E1FABBD1AC3162215BAEB
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1040\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	88289FD0D816A06C1A7B303397D0C122	DF516CBCDE29787EC24A8AFC744D20F0156D52CA	DF46CA96704CBEF3B79E0AA7A8B8239E7ACF12899B6C02A063F138C1F0F9FD34
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1041\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	92E54A7DB253A0A47C03B44D9651DF3C	FE708E0AC308B7B72CF1BD7F93E2965A67B36CA7	36C917F205A9C9D5F37788CA45ECD57D0F8EEB498F8320849BBEDF49E012E9F9
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1042\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	8125E76142C8438863F35CE5B8E63E57	88C104928F0889B2F0565E3D07721E3209995EB9	929A97C8A9A4EA4F72E2F17DBB20E76E604B7F1255F20874AA1C44AEC0F456C1
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1045\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	9147BC24EACE34955B865DAA39DAD8AB	965E855533C6F247A3F4FC785B805096EFC43850	322DB9FFDB987D0C824A4DE3B8DB40722BCAF95833DCF90E7B5F250A841E592B
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1046\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C2BDEAA46B13E3CDE01E3DCAA734C0F2	F91BB4CF0C65422A7F16D362903CC8A62E6D3B8B	5A0802D6CA8D63D8476EEC79BDBD6079A17DC149D5D8C7DF13059D47BBB09F3A
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1049\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	66D963430209555CDCB8A5C0219BC60C	B20A6CFCB7A8991D5D347382408E2A4F47D97DF0	D9AB0A8DB5A8409C5849AA4E1512576225E5B320EA79B0CDC83C2B4848401611
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\1055\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C7B60E697671394781260D5B2CD21810	71219978A2E4CD53D3D6EC2084DAB672E17935E6	CCF766B55CB0CC623F2705206A2AF04F2C83801580BC40A5AC20F644B814AB8F
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\2052\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	1BD86FBD65D005648103E050D9BEB9F1	13CAD440B20CFE8337E425430892C946731C0AD8	740117157B31BD5C634A232A0BA98A692B28ED2B4829EF52372200EB547D07CF
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\HelpFile\3082\help.html	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0474106AC825B4F7727FF94576FC15C2	BA346D0AB401DD35D6A7305414C4237177031A68	A597AA82F35641455E12BD78662A05142F64BC221FF91D4EC4F2A8FA2983297F
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C5E7C4A539EA834661FE20F994330F7E	E2FF1096F557212DDE051887BFD4A450B23E9277	BC53C6FB22F4BCE970C87122579CAF785F75CBC91D49F49E54229BA32AC7D447
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AABFD8A438AE79B4F236EC3B45544DD2	32B026AB6DD4CE60C16FA48690F32632F7F4AC17	95CB344B58ED754E25F60C44F32303DE9E65DA603DB06A9321D137580B3657CA
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Broker.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D69DDC47DDB2C4C8937E4EFCBB6E29D0	6DE3D02AA85B7915A6AD07C78340B57119C10B01	5E93BB3957C3001DB4F0938848DEFCF247DDADB3E779F56E87F7838D62509B9C
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.Extensions.Msal.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	352EE196CD65C98B729065AAF6F5C9E3	5DA4C568740C6C91E02EF0E9E1DAC38C52AE33C1	6CEAA8B598E7985D5637AB1659566DFF9C1FDA37EDF0F044759B56444F739018
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.NativeInterop.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	7A9DD6DF8C84D2CD25919DF6D2868069	1750E30F04F4F621EC716542535E18A99B8F8CE8	DDE925277C60B8C94434FF1B50E678AD69D79B64E80FBE006BEFF0F16E5E2165
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.Identity.Client.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	B55A27FA0913854773F9C9F5A42C4456	694100D079A75C5D278A2A824DAFAE21DA370C5B	C7674FA4E25B030DA4AC00A3D63E1466418204E485203779D6DBAB2CC753CBFA
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DC6D5F059A711616234B383D8A3CD5F2	B53DF8E875BEDF924A32EEBEA2ABB2018F06E5E1	D461864929E446EDBC6513421F4DB8C6465899D9067EA3C33E2131227799B525
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	355C1A112BC0F859B374A4B1C811C1E7	B9A58BB26F334D517AB777B6226FEF86A67EB4DD	CC52E19735D6152702672FEB5911C8BA77F60FDC73DF5ED0D601B37415F3A7ED
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	08645C50CB281AF1371E8F0DED10AB67	AE06060913C4BE03AF0E1736650D64E8CDA7AD55	7BFA4386A603B98AF49099D67F5C5D1E7A50B15107F9780E7F7F50F39234BED9
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8A9CBBE63D730D60EF5159BED516BC78	130C25908DD4201DB8E6A2F2319EAFC86114B7C3	4E94690F548EF43A279A1F55807713EB970FA7A0FC9E64602779595778766064
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DA8106A5723B5D66CD6B1713ECE8B91B	73BFD5942BDACC4C87B003C6C5555FEA4BA6251F	7C481DC4E4C2ED5DF782A794F571808AEC82A71C4FDB1054939A42C4B9F368AA
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	BBCC8244DB84AD2031AC010633ABF798	DE0CB65EE877663DA272B4162A55A64AB8669F74	8FE17FF9DA7932DC01A39ED27559D5CDFA9B97BA14CBAA9F719087A241C8B82D
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2DC1DC66B267A3470ADD7FAB88B78069	DBE80047475B503791038ED7E47389C062C15C72	B044863F98AF8D28F4F2F5E2DCCB945C57439E1575AFB37110E1EEC306A6C89C
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\Newtonsoft.Json.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	195FFB7167DB3219B217C4FD439EEDD6	1E76E6099570EDE620B76ED47CF8D03A936D49F8	E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Memory.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F09441A1EE47FB3E6571A3A448E05BAF	3C5C5DF5F8F8DB3F0A35C5ED8D357313A54E3CDE	BF3FB84664F4097F1A8A9BC71A51DCF8CF1A905D4080A4D290DA1730866E856F
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C610E828B54001574D86DD2ED730E392	180A7BAAFBC820A838BBACA434032D9D33CCEEBE	37768488E8EF45729BC7D9A2677633C6450042975BB96516E186DA6CB9CD0DCF
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\VSInstallerElevationService.Contracts.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	B71306B232B606B7B5E625F6DA67BEB7	CD997770324D58ABB9FEC0DFE1806482509415DD	142A0541EDF1A59C0FA2BF34B6B2DB495E29C4F31FD03B2633A9B753A71D39F3
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\cs\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4AEEEC1D0FA2FA470B845DF4A5F20ADC	418806B0257D51D667B53A57ADDEF82FBA72BBE3	C05F2C409FFA4CD3A0FA18BB2D736315E1971BDC84DD0160B8621463BCF264BC
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\de\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	670360AFB5CC2C43DA6CCCAE1E2DAD26	CFF390695D653B43BDBB946EDC9AF93342BD6027	AE63C6654795492CF031DF3CFDBF7C3914BC7702D90F36083834E77E08554189
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\detection.json	JSON data	782F4BEAE90D11351DB508F38271EB26	F1E92AEA9E2CD005C2FB6D4FACE0258D4F1D8B6C	C828A2E5B4045CE36ECF5B49D33D6404C9D6F865DF9B3C9623787C2332DF07D9
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\es\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	7E6F1ACB7A7984E9C80100D49E0C7FFC	DBE266D022DF9A7D77C14D61F6963EFFC8A61155	18404339B16DB1CD8708C6FE287AC935D19007DDD6C4560764B64D52D58086A7
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\fr\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	BF6E960B2F85220B70F5A59CF5D867E0	16F12ED2F15FAE2F1EA5BB12CA0C11B552C73EEC	583EB0425DB2312057530D59C04F607D6CE7139A7722B05B5340F247FF42B45B
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\it\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	94BF31A88E4F2DF564828A14875A9D21	E4E860C4D7AD5E49EC4DE620C0A03379261A8682	9944773A29A5299E145B4EAB6CE19DF88FBF89874EF43903BE7F1AD4E5CDC0E8
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ja\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1F0A3AC04532D924920BED41F299C08C	5A517972A76A902A3B699F699DD24F2B89EAABAD	529715C668A12D0D0FA09C121DA7ED755C301B9A39A4101B730AA8BA08BF1734
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ko\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	76D609EB739C2C85FD9BA5BEF8288EA7	2C9A2BD3AB6203336DA4CC229C07527EB892F5CA	71518B1554AA235F67C87663549FEFF54C71FE77479311413D823368CFA54B09
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pl\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	ADFFBBA8D0D0899C2D9EC04561248E4E	49A16F20B8868E6EAAB604B76B526F782C53F8A1	1BA0C715715B2741D63673414272075BBD7A2ABA0A0CFF9458A8B02C859D2F40
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\pt-BR\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3801828DABD3EBFBB1DB5BCBE7E39734	AFD3C8F2DF47D4FDC52AA284E1D154136F924705	76C18CD1FCCF595795A5D72B34489517799FD18360265DC5A49BB0D0ABFC3C14
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\ru\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F60A8CFC4A8995726EB1A8DECC9B4A9E	F20EFD2E4028B49C57BC31417B9642988F92C93C	052FF6EDCEC6170D35DCDF5336E3D533CC1C86013E0797E01C6EDE1E270CE3F4
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll	PE32+ executable (DLL) (console) Aarch64, for MS Windows	A2F41908D5DC93B30DAA584EA84D2092	858E185E27C19177D3BD8682CEA53BCDC27A598E	88A6F127EEE41DA978181DF5DE12D65D2337D4427EF66B6BE1DF51BC29E93F8B
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6D226A7B33583555FE71310E610E7FC6	92BB8CE4CB4E215348C6E22FFC3BF57EC031883A	613BE496AD434CEEF6ED29DBBA64F27A2612795078977A8B07B229EBBA9E9953
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\runtimes\win-x86\native\msalruntime_x86.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	94AB867EF06D046B6F65ADBCB0994638	30768967AD3B95AAEB8EC671F96E176A6D5DD1FA	E9501BD3899C05167AB3D6CDE455E7C81BC4BD138314207F3CDFE910B21358AE
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\tr\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1EE13705137060818D20ADEDEC0A98C2	145E85ABADEC8300A4200793067E2E2A590D92F7	72B49DB6263C8166F85808C377B60BAC3E25679EF580F0999DE7C94761830FD6
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.config	ASCII text, with CRLF line terminators	0A19FC19FACE1DB2B5C04438B928D43D	BC4E0FB87707A452F1ADA09459022C91AF2D32BC	10E104169E96EC1588483CA251264BEE2301483ED9715BC5690E2D043D0FCBF3
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4108506D8CDC3A03BB7E4496025EE902	A02D206F205A1A45B5223A73BFE84E25B359D251	F9BF0A30395E521D65FB1E39A6A76E19C061A8D3806653FC7F5B28B9FB327903
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config	XML 1.0 document, ASCII text, with CRLF line terminators	C301859AEF3BF4C0914914E5807F6A5B	908827CE12D093D2AA3D1E8BAA8CAF8BFE204FBD	781EC48AE412BA18C2CEA1B67F5BC4A33245FD5F96DBB0E58B218C98EE03785D
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\vs_setup_bootstrapper.json	JSON data	BB004C2A7E87D3016E3BDCFD6D9F5251	3C984D00B521893B050B3A4DBB0FDDC283D27865	ADCF02F322066AEA210E820D7D344F3A0FED05DF18EBD57C053C5C727F232307
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hans\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9C42296E9618B81A0EA7C0AC05BEEA88	EA9F9065027A5196541994C07C4A6D948B9DF474	F2F7E8F1F674CA254A2EC2AE75E2AECBEB9C510198212F74275FC5D0B00B9887
C:\Users\user\AppData\Local\Temp\0912109488e5fc596ed0\vs_bootstrapper_d15\zh-Hant\vs_setup_bootstrapper.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	666036ED50EEC014C81DF2BBEDBF5FC7	882E2D8E2837281ECAEE21EE0C2815F6B3A5C455	4BAC87DC99F1121B463334E0670CCDB243EB7FC6E9035DBEF5B01DB0B9A8299B
C:\Users\user\AppData\Local\Temp\dd_VisualStudioSetup_decompression_log.txt	CSV text	E34606BE0A0F101D55AB4E67FBA2461A	09D8221556C13F9E8CE69B5F0CF6E22B08DDBF0C	900B99DB4E622B1B7F46EAA333CF562965E62314D1CFB73F7E667A08FA5361A0
C:\Users\user\AppData\Local\Temp\dd_bootstrapper_20240523122858.log	ASCII text, with very long lines (311), with CRLF line terminators	6377423ACBFF57BEAFE205DE044E6701	EC8FB0102E77C0BB086D8FA648B3BE88FFA6B367	38E3B4488D8C1510DF3F47A539C62BCB4EDBF3DE02A97E608E4F0111E2CAA0BB

Windows Analysis Report
VisualStudioSetup.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report VisualStudioSetup.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
VisualStudioSetup.exe

Malware Threat Intel
Provided by