Analysis
-
max time kernel
3600s -
max time network
3503s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
VisualStudioSetup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
VisualStudioSetup.exe
Resource
win10v2004-20240508-en
General
-
Target
VisualStudioSetup.exe
-
Size
3.8MB
-
MD5
ac8dc6d9741dc336600a88a322cb8020
-
SHA1
cfd69912632bcb3f027ab6a713c760042090a3c6
-
SHA256
d2758c971053a68c0d209f9965af3420a85cbbe1969e4b5870145bb624bd1f53
-
SHA512
d3ebe0f838ee93c0800eae9c778fadb28e8b08fba89aff06975ffba2560d910f7f17fefbaa9913efcd3f744947978410a41ec953a788adb02a7214bb8a76754a
-
SSDEEP
98304:bEbidYUhefyW9dfuejQFKH3JR8zdJwtrJMr:LyryIH3/8zUtrqr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation VisualStudioSetup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\cachev3.dat svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 436 vs_setup_bootstrapper.exe -
Loads dropped DLL 21 IoCs
pid Process 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe 436 vs_setup_bootstrapper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-33-83-c9-9d svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-33-83-c9-9d\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-33-83-c9-9d\WpadDecisionTime = 37733f1a5eb3da01 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-33-83-c9-9d\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 436 vs_setup_bootstrapper.exe Token: SeShutdownPrivilege 448 svchost.exe Token: SeCreatePagefilePrivilege 448 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2360 wrote to memory of 436 2360 VisualStudioSetup.exe 85 PID 2360 wrote to memory of 436 2360 VisualStudioSetup.exe 85 PID 2360 wrote to memory of 436 2360 VisualStudioSetup.exe 85 PID 436 wrote to memory of 4452 436 vs_setup_bootstrapper.exe 86 PID 436 wrote to memory of 4452 436 vs_setup_bootstrapper.exe 86 PID 436 wrote to memory of 4452 436 vs_setup_bootstrapper.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\VisualStudioSetup.exe"C:\Users\Admin\AppData\Local\Temp\VisualStudioSetup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\getmac.exe"getmac"3⤵PID:4452
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:448
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestaz667904.vo.msecnd.netIN AResponseaz667904.vo.msecnd.netIN CNAMEaz667904-pme.azureedge.netaz667904-pme.azureedge.netIN CNAMEaz667904-pme.ec.azureedge.netaz667904-pme.ec.azureedge.netIN CNAMEcs9.wpc.v0cdn.netcs9.wpc.v0cdn.netIN A152.199.19.161
-
Remote address:152.199.19.161:443RequestGET /pub/Default/v2/dyntelconfig.json HTTP/1.1
Host: az667904.vo.msecnd.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Age: 188
Cache-Control: public, max-age=300
Content-MD5: D2DBeFv//YI/p+dVgBtgMw==
Content-Type: application/octet-stream
Date: Fri, 31 May 2024 12:29:18 GMT
Etag: 0x8DC5E449131B661
Last-Modified: Tue, 16 Apr 2024 18:39:36 GMT
Server: ECAcc (ama/48D1)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 33be0574-701e-0035-2155-b3477b000000
x-ms-version: 2009-09-19
Content-Length: 20426
-
Remote address:8.8.8.8:53Requestaz700632.vo.msecnd.netIN AResponseaz700632.vo.msecnd.netIN CNAMEaz700632-pme.azureedge.netaz700632-pme.azureedge.netIN CNAMEaz700632-pme.ec.azureedge.netaz700632-pme.ec.azureedge.netIN CNAMEcs9.wpc.v0cdn.netcs9.wpc.v0cdn.netIN A152.199.19.161
-
GEThttps://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonvs_setup_bootstrapper.exeRemote address:152.199.19.161:443RequestGET /pub/RemoteSettings/RemoteSettings_Installer.json HTTP/1.1
Host: az700632.vo.msecnd.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Age: 239
Cache-Control: public, max-age=300
Content-MD5: r2VEnbROzS+09ITKmFOIuA==
Content-Type: application/octet-stream
Date: Fri, 31 May 2024 12:29:18 GMT
Etag: 0x8DB348D7B945BFF
Last-Modified: Mon, 03 Apr 2023 21:50:47 GMT
Server: ECAcc (ama/4897)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: ff03cb87-001e-0056-5655-b32a4a000000
x-ms-version: 2009-09-19
Content-Length: 1683
-
Remote address:8.8.8.8:53Request161.19.199.152.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.94.73.104.in-addr.arpaIN PTRResponse56.94.73.104.in-addr.arpaIN PTRa104-73-94-56deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttargetednotifications-tm.trafficmanager.netIN AResponsetargetednotifications-tm.trafficmanager.netIN CNAMEtn-api-prod-westus2.azurewebsites.nettn-api-prod-westus2.azurewebsites.netIN CNAMEwaws-prod-mwh-053.sip.azurewebsites.windows.netwaws-prod-mwh-053.sip.azurewebsites.windows.netIN CNAMEwaws-prod-mwh-053-6a6c.westus2.cloudapp.azure.comwaws-prod-mwh-053-6a6c.westus2.cloudapp.azure.comIN A20.42.128.98
-
Remote address:20.42.128.98:443RequestPOST /api/values HTTP/1.1
Content-Type: application/json
Host: targetednotifications-tm.trafficmanager.net
Content-Length: 500
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Fri, 31 May 2024 12:29:20 GMT
Server: Microsoft-IIS/10.0
Access-Control-Expose-Headers: Request-Context
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-API-Version: 3.0.257+6d12f875b4
X-AspNet-Version: 4.0.30319
Request-Context: appId=cid-v1:17488bd9-4fe9-4874-910a-dc8bcb1feb58
Arr-Disable-Session-Affinity: true
X-Content-Type-Options: nosniff
-
Remote address:8.8.8.8:53Request98.128.42.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestvortex.data.microsoft.comIN AResponsevortex.data.microsoft.comIN CNAMEasimov.vortex.data.trafficmanager.netasimov.vortex.data.trafficmanager.netIN CNAMEonedscolprdaus02.australiasoutheast.cloudapp.azure.comonedscolprdaus02.australiasoutheast.cloudapp.azure.comIN A104.46.162.226
-
Remote address:104.46.162.226:443RequestPOST /collect/v1 HTTP/1.1
Content-Type: application/x-json-stream; charset=utf-8
Content-Encoding: gzip
Host: vortex.data.microsoft.com
Content-Length: 2436
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
time-delta-millis: 44786.7382
Access-Control-Allow-Headers: time-delta-millis
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Allow-Credentials: true
Date: Fri, 31 May 2024 12:30:02 GMT
-
Remote address:8.8.8.8:53Request226.162.46.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmobile.events.data.microsoft.comIN AResponsemobile.events.data.microsoft.comIN CNAMEmobile.events.data.trafficmanager.netmobile.events.data.trafficmanager.netIN CNAMEonedscolprdneu13.northeurope.cloudapp.azure.comonedscolprdneu13.northeurope.cloudapp.azure.comIN A20.50.73.4
-
Remote address:20.50.73.4:443RequestPOST /OneCollector/1.0 HTTP/1.1
Content-Type: application/x-json-stream; charset=utf-8
Content-Encoding: gzip
x-apikey: f3e86b4023cc43f0be495508d51f588a-f70d0e59-0fb0-4473-9f19-b4024cc340be-7296
sdk-version: VSTelemetryAPI
NoResponseBody: false
Host: mobile.events.data.microsoft.com
Content-Length: 3587
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
time-delta-millis: 32108
Access-Control-Allow-Headers: time-delta-millis
Access-Control-Allow-Methods: POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: time-delta-millis
Date: Fri, 31 May 2024 12:30:02 GMT
-
Remote address:8.8.8.8:53Request4.73.50.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388236_1HL4SRJ7X21NUOQZ9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388236_1HL4SRJ7X21NUOQZ9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 478960
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F358B25B486244A58A960CB578EA94BF Ref B: BRU30EDGE0520 Ref C: 2024-05-31T12:31:06Z
date: Fri, 31 May 2024 12:31:05 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301361_1A941B3C9LQ8KN2OI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301361_1A941B3C9LQ8KN2OI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 585469
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 21FA215CBD6543318D8507103EFBA714 Ref B: BRU30EDGE0520 Ref C: 2024-05-31T12:31:06Z
date: Fri, 31 May 2024 12:31:05 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300928_17TNF1GROQEVAAS47&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317300928_17TNF1GROQEVAAS47&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 527319
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 146EFA211F024DF899238B8A20359065 Ref B: BRU30EDGE0520 Ref C: 2024-05-31T12:31:06Z
date: Fri, 31 May 2024 12:31:05 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360259211_1RHQV0P5DTUS9XFSL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360259211_1RHQV0P5DTUS9XFSL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 562299
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 71299D61CF814FBF9D11436ADD64DF7A Ref B: BRU30EDGE0520 Ref C: 2024-05-31T12:31:06Z
date: Fri, 31 May 2024 12:31:05 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388237_16CFOYO7VUY1K6DRH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388237_16CFOYO7VUY1K6DRH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 443021
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FF76B1A6729041DABC52DB7DAAA2C9CD Ref B: BRU30EDGE0520 Ref C: 2024-05-31T12:31:06Z
date: Fri, 31 May 2024 12:31:05 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 439394
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CA9F4A31A5A148D38C4EDF31F34BA84C Ref B: BRU30EDGE0520 Ref C: 2024-05-31T12:31:09Z
date: Fri, 31 May 2024 12:31:08 GMT
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request11.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request74.19.199.152.in-addr.arpaIN PTRResponse
-
152.199.19.161:443https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsontls, httpvs_setup_bootstrapper.exe1.5kB 28.4kB 23 34
HTTP Request
GET https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.jsonHTTP Response
200 -
152.199.19.161:443https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsontls, httpvs_setup_bootstrapper.exe1.3kB 9.1kB 17 20
HTTP Request
GET https://az700632.vo.msecnd.net/pub/RemoteSettings/RemoteSettings_Installer.jsonHTTP Response
200 -
20.42.128.98:443https://targetednotifications-tm.trafficmanager.net/api/valuestls, httpvs_setup_bootstrapper.exe2.1kB 17.3kB 21 28
HTTP Request
POST https://targetednotifications-tm.trafficmanager.net/api/valuesHTTP Response
200 -
3.9kB 5.8kB 18 21
HTTP Request
POST https://vortex.data.microsoft.com/collect/v1HTTP Response
200 -
20.50.73.4:443https://mobile.events.data.microsoft.com/OneCollector/1.0tls, httpvs_setup_bootstrapper.exe5.2kB 5.9kB 19 21
HTTP Request
POST https://mobile.events.data.microsoft.com/OneCollector/1.0HTTP Response
200 -
1.2kB 8.1kB 15 13
-
1.2kB 8.1kB 17 15
-
1.1kB 8.0kB 14 12
-
1.2kB 8.1kB 15 13
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2107.9kB 3.2MB 2315 2311
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388236_1HL4SRJ7X21NUOQZ9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301361_1A941B3C9LQ8KN2OI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300928_17TNF1GROQEVAAS47&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360259211_1RHQV0P5DTUS9XFSL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388237_16CFOYO7VUY1K6DRH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
68 B 179 B 1 1
DNS Request
az667904.vo.msecnd.net
DNS Response
152.199.19.161
-
68 B 179 B 1 1
DNS Request
az700632.vo.msecnd.net
DNS Response
152.199.19.161
-
73 B 144 B 1 1
DNS Request
161.19.199.152.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
56.94.73.104.in-addr.arpa
-
89 B 274 B 1 1
DNS Request
targetednotifications-tm.trafficmanager.net
DNS Response
20.42.128.98
-
71 B 145 B 1 1
DNS Request
98.128.42.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
71 B 203 B 1 1
DNS Request
vortex.data.microsoft.com
DNS Response
104.46.162.226
-
73 B 147 B 1 1
DNS Request
226.162.46.104.in-addr.arpa
-
78 B 203 B 1 1
DNS Request
mobile.events.data.microsoft.com
DNS Response
20.50.73.4
-
69 B 155 B 1 1
DNS Request
4.73.50.20.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
43.56.20.217.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
124 B 173 B 2 1
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.173.189.20.in-addr.arpa
-
72 B 143 B 1 1
DNS Request
74.19.199.152.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202405311229157205.json
Filesize162B
MD5ad891c3b02a02419dc60db8c273a8315
SHA1141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA51264cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20240531122947_2634a6b905374f72b98a959512785f32.trn
Filesize3KB
MD53f019d2d891f1f2ee2acb01cea91b726
SHA1f420b7976d5b7b4418362684710cba9255da4057
SHA25686838d4c106675872ee0505270ac8ff128aa8045a4c065c646db7626830d5df3
SHA5120c38451454c4d97402d55c9825f0db86980bd4167dd18daa477602aa1bc402511e07d156a99e735ebabda2bb1fa7d82a361d57eaeff5f50e57a11c1a176ef90f
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240531122949_0fe5365e1b354647a5b6158ddbd66407.trn
Filesize4KB
MD577ae1fe497041f047fb70dbcb2f56f7e
SHA11e72a1f17cfd4684187021419c4d53e93266d6fe
SHA256857176ddb6e64142ff87377460fc6e31d313d08818a798c40f47a154d7c7f555
SHA512193bce57764158e78707c91776bc8a2af7bffdb3877f076cdd3f5bb04112f6666dddcf38d56efed3277f29737ddbf9baaea2c8e806bc0b4fc23fda859ea15b07
-
Filesize
19KB
MD50f60c1785bfffd823fa7e755801b6033
SHA1194326cf1c130dbde80213b95558b806cd524626
SHA256798d80699f57507a2875688eaba71c7201db9315c359414dc509e8bfdef5c49a
SHA51287751ff6772dfaeb73cc5fd26c912610f010d404eff99bbd781217ba1a7b7b088399ab30159e5c9760368ec06de99b100ac08b6d45f1949db3c90c411ec2fccd
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize18KB
MD5c5e7c4a539ea834661fe20f994330f7e
SHA1e2ff1096f557212dde051887bfd4a450b23e9277
SHA256bc53c6fb22f4bce970c87122579caf785f75cbc91d49f49e54229ba32ac7d447
SHA5127f3f32146637e7393f3f906ece45780c1082ac661fc8f6d88f469e0ca951e9a6bcbac4be8959359559e097ebeec8eb048407cb3276f0a7007c50298ee1294a07
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize115KB
MD5aabfd8a438ae79b4f236ec3b45544dd2
SHA132b026ab6dd4ce60c16fa48690f32632f7f4ac17
SHA25695cb344b58ed754e25f60c44f32303de9e65da603db06a9321d137580b3657ca
SHA5126eb438b1fa9bc62c1356d8f21b0706799d94024cf0c013fb435caaba82e0c6bbe3570edc91c71d36e906be0a28e1da854a47a377fa487aefcd5662eea85a1993
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize46KB
MD5355c1a112bc0f859b374a4b1c811c1e7
SHA1b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize579KB
MD508645c50cb281af1371e8f0ded10ab67
SHA1ae06060913c4be03af0e1736650d64e8cda7ad55
SHA2567bfa4386a603b98af49099d67f5c5d1e7a50b15107f9780e7f7f50f39234bed9
SHA512bfb8a02db556bd1e7808fcaed00bcb938758eefd21f04bd47c6c5a04293b781189ec88a31210efd6972be364334fd5e25ba6a83c972c5ec4cf0b8726cb4a77f5
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize306KB
MD58a9cbbe63d730d60ef5159bed516bc78
SHA1130c25908dd4201db8e6a2f2319eafc86114b7c3
SHA2564e94690f548ef43a279a1f55807713eb970fa7a0fc9e64602779595778766064
SHA512102ed30752a61712b024c5460e895e161ba22f4583f1148f6c0704edaebf703eeb7b65bd393ffd056df837d5b57220b7b87bc635884b5aa1d6516afb36370c46
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.4MB
MD5da8106a5723b5d66cd6b1713ece8b91b
SHA173bfd5942bdacc4c87b003c6c5555fea4ba6251f
SHA2567c481dc4e4c2ed5df782a794f571808aec82a71c4fdb1054939a42c4b9f368aa
SHA512eec20eb53e88e6a96ecaa8496256235176ce586563d8c29d1c3537b5e34213209bd225235ae253b60a7266aaac56e655af229ba6b89b87ad24f4ce4349f0cbb2
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize995KB
MD5bbcc8244db84ad2031ac010633abf798
SHA1de0cb65ee877663da272b4162a55a64ab8669f74
SHA2568fe17ff9da7932dc01a39ed27559d5cdfa9b97ba14cbaa9f719087a241c8b82d
SHA512d5682ea1aa9d50e9a491f8dc25c82907cde24ead2842ea392242e8cdedf49f68f3035042442738e147b5aa29d6328ced68007732298f62466c78fd10b276b06f
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize62KB
MD52dc1dc66b267a3470add7fab88b78069
SHA1dbe80047475b503791038ed7e47389c062c15c72
SHA256b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c
SHA51244ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize622B
MD5411da3ce9864f91f54ac6dd151a3bfe5
SHA18a6c8fed947dbbbb0b59ed0ee36d0614d5327fdf
SHA2563b82429a018c53af697b57369e78595c16d157b95a4cc7755b781232f0a0d1dc
SHA512ab9250dd2b6fef3f74512d97f3ce4954ebd475696f528f54d8afcaac728c2221ef7185595dade917256031c2e369849246d46c0fee0ff2d891fc0a38aa7aba81
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
Filesize404KB
MD54108506d8cdc3a03bb7e4496025ee902
SHA1a02d206f205a1a45b5223a73bfe84e25b359d251
SHA256f9bf0a30395e521d65fb1e39a6a76e19c061a8d3806653fc7f5b28b9fb327903
SHA512b4a7aa0c65e3a3279d0845a02e896a85d5f5074a79ee3ab52a8aa422fab759d4fab177961c03f280ca7499e10678d29e951946283b26d2ca107d5be76c76e8e8
-
C:\Users\Admin\AppData\Local\Temp\ea5a24781d1469dac08971\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize2KB
MD5c301859aef3bf4c0914914e5807f6a5b
SHA1908827ce12d093d2aa3d1e8baa8caf8bfe204fbd
SHA256781ec48ae412ba18c2cea1b67f5bc4a33245fd5f96dbb0e58b218c98ee03785d
SHA5120b9eeb0288b01ddfde11404b15378694145978bdd664b68befe5f776f65f950d35f54b7f29662a64ff91feb4dc0e9bd537864e46a1f3f252e8113ddf95f32f0b