acc5fec0885cda45e8d3f235f0dbb7fd6f1a3f83a427f29ee18a33533aa125a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 16:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

793KB
MD5

7d9914483a2f5ae005d4f11f7ca786cb
SHA1

e39e7916c3fff339df9a068bc108d4f7b770d232
SHA256

acc5fec0885cda45e8d3f235f0dbb7fd6f1a3f83a427f29ee18a33533aa125a7
SHA512

708d1ea1824c6ce5b7b933fb3142b276004541f6d34d1067fa90cffa0b64597d41403a42cb07ba826ad7d78eec4fa7ae3c079143f069f1180ef82b86e105aa34
SSDEEP

12288:xJzpLYI40INR++Qwa0FvXocH9j6d8emgauKrmP23qSpmyr8:zGIt8R+wvXocH9j6qemgaut

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BootstrapperV1.11.exe

Deletes itself 1 IoCs

pid	Process
2968	BootstrapperV1.11.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	BootstrapperV1.11.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
37	raw.githubusercontent.com
3	pastebin.com
5	pastebin.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2968	BootstrapperV1.11.exe
2968	BootstrapperV1.11.exe
3672	chrome.exe
3672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	Bootstrapper.exe
Token: SeDebugPrivilege	2968	BootstrapperV1.11.exe
Token: SeShutdownPrivilege	4008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4008	msiexec.exe
Token: SeSecurityPrivilege	3448	msiexec.exe
Token: SeCreateTokenPrivilege	4008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4008	msiexec.exe
Token: SeLockMemoryPrivilege	4008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4008	msiexec.exe
Token: SeMachineAccountPrivilege	4008	msiexec.exe
Token: SeTcbPrivilege	4008	msiexec.exe
Token: SeSecurityPrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeLoadDriverPrivilege	4008	msiexec.exe
Token: SeSystemProfilePrivilege	4008	msiexec.exe
Token: SeSystemtimePrivilege	4008	msiexec.exe
Token: SeProfSingleProcessPrivilege	4008	msiexec.exe
Token: SeIncBasePriorityPrivilege	4008	msiexec.exe
Token: SeCreatePagefilePrivilege	4008	msiexec.exe
Token: SeCreatePermanentPrivilege	4008	msiexec.exe
Token: SeBackupPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeShutdownPrivilege	4008	msiexec.exe
Token: SeDebugPrivilege	4008	msiexec.exe
Token: SeAuditPrivilege	4008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4008	msiexec.exe
Token: SeChangeNotifyPrivilege	4008	msiexec.exe
Token: SeRemoteShutdownPrivilege	4008	msiexec.exe
Token: SeUndockPrivilege	4008	msiexec.exe
Token: SeSyncAgentPrivilege	4008	msiexec.exe
Token: SeEnableDelegationPrivilege	4008	msiexec.exe
Token: SeManageVolumePrivilege	4008	msiexec.exe
Token: SeImpersonatePrivilege	4008	msiexec.exe
Token: SeCreateGlobalPrivilege	4008	msiexec.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2968	872	Bootstrapper.exe	85
PID 872 wrote to memory of 2968	872	Bootstrapper.exe	85
PID 872 wrote to memory of 2968	872	Bootstrapper.exe	85
PID 2968 wrote to memory of 4008	2968	BootstrapperV1.11.exe	89
PID 2968 wrote to memory of 4008	2968	BootstrapperV1.11.exe	89
PID 2968 wrote to memory of 4008	2968	BootstrapperV1.11.exe	89
PID 3672 wrote to memory of 2408	3672	chrome.exe	93
PID 3672 wrote to memory of 2408	3672	chrome.exe	93
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 5084	3672	chrome.exe	94
PID 3672 wrote to memory of 4084	3672	chrome.exe	95
PID 3672 wrote to memory of 4084	3672	chrome.exe	95
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96
PID 3672 wrote to memory of 384	3672	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff97216cc40,0x7ff97216cc4c,0x7ff97216cc58
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4052 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4604
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff773064698,0x7ff7730646a4,0x7ff7730646b0
    3⤵
    - Drops file in Program Files directory
    PID:4596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1352

Network

DNS

pastebin.com

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

104.20.3.235
DNS

pastebin.com

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
GET

https://pastebin.com/raw/xr5Gb4Bn

Bootstrapper.exe

Remote address:

172.67.19.24:443

Request

GET /raw/xr5Gb4Bn HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 02 Aug 2024 16:06:23 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 188
Last-Modified: Fri, 02 Aug 2024 16:03:15 GMT
Server: cloudflare
CF-RAY: 8acf509bac083867-LHR
DNS

github.com

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/cmd-softworks/solara/raw/main/Bootstrapper.exe

Bootstrapper.exe

Remote address:

20.26.156.215:443

Request

GET /cmd-softworks/solara/raw/main/Bootstrapper.exe HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Fri, 02 Aug 2024 16:06:23 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/cmd-softworks/solara/main/Bootstrapper.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: E8E1:3E7E88:1BF85AB:1EF540E:66AD03FF
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

24.19.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.19.67.172.in-addr.arpa

IN PTR

Response
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133
GET

https://raw.githubusercontent.com/cmd-softworks/solara/main/Bootstrapper.exe

Bootstrapper.exe

Remote address:

185.199.110.133:443

Request

GET /cmd-softworks/solara/main/Bootstrapper.exe HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 814592
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "e69e6cad727b1e16546b68eadc50b3aacc07de76515eef31d0676f376453f7f7"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: D8AD:5AF12:6C5A41:871626:66A804CE
Accept-Ranges: bytes
Date: Fri, 02 Aug 2024 16:06:24 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600027-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1722614784.966999,VS0,VE77
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: d35a77781b7117f3d2b7c95e285ce776243c11e1
Expires: Fri, 02 Aug 2024 16:11:24 GMT
Source-Age: 0
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
GET

https://pastebin.com/raw/xr5Gb4Bn

BootstrapperV1.11.exe

Remote address:

172.67.19.24:443

Request

GET /raw/xr5Gb4Bn HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 02 Aug 2024 16:06:26 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 191
Last-Modified: Fri, 02 Aug 2024 16:03:15 GMT
Server: cloudflare
CF-RAY: 8acf50b0feb8954d-LHR
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

clientsettings.roblox.com

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

clientsettings.roblox.com

IN A

Response

clientsettings.roblox.com

IN CNAME

titanium.roblox.com

titanium.roblox.com

IN CNAME

edge-term4.roblox.com

edge-term4.roblox.com

IN CNAME

edge-term4-lhr2.roblox.com

edge-term4-lhr2.roblox.com

IN A

128.116.119.4
GET

https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live

BootstrapperV1.11.exe

Remote address:

128.116.119.4:443

Request

GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
Host: clientsettings.roblox.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

content-length: 119
content-type: application/json; charset=utf-8
date: Fri, 02 Aug 2024 16:06:26 GMT
server: Kestrel
cache-control: no-cache
strict-transport-security: max-age=3600
x-frame-options: SAMEORIGIN
roblox-machine-id: c9b268ee-b55a-32e0-fa33-346c3191ce40
x-roblox-region: us-central_rbx
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=259200
x-roblox-edge: lhr2
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
DNS

4.119.116.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.119.116.128.in-addr.arpa

IN PTR

Response
DNS

www.nodejs.org

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

www.nodejs.org

IN A

Response

www.nodejs.org

IN A

104.20.23.46

www.nodejs.org

IN A

104.20.22.46
DNS

www.nodejs.org

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

www.nodejs.org

IN A
DNS

www.nodejs.org

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

www.nodejs.org

IN A
GET

https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

BootstrapperV1.11.exe

Remote address:

104.20.23.46:443

Request

GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
Host: www.nodejs.org
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Fri, 02 Aug 2024 16:06:31 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: public, max-age=0, must-revalidate
location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-vercel-id: lhr1::m2dml-1722614791456-84bf2b43cf9c
CF-Cache-Status: DYNAMIC
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8acf50ce6a65bf0e-LHR
DNS

nodejs.org

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

nodejs.org

IN A

Response

nodejs.org

IN A

104.20.22.46

nodejs.org

IN A

104.20.23.46
GET

https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

BootstrapperV1.11.exe

Remote address:

104.20.22.46:443

Request

GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
Host: nodejs.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 02 Aug 2024 16:06:35 GMT
Content-Type: application/octet-stream
Content-Length: 31539200
Connection: keep-alive
last-modified: Wed, 12 Apr 2023 04:13:37 GMT
etag: "64362ff1-1e14000"
Cache-Control: public, max-age=3600, s-maxage=14400
CF-Cache-Status: MISS
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8acf50cfb9a35280-LHR
DNS

46.23.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.23.20.104.in-addr.arpa

IN PTR

Response
DNS

46.22.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.22.20.104.in-addr.arpa

IN PTR

Response
DNS

46.22.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.22.20.104.in-addr.arpa

IN PTR
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

github.com

BootstrapperV1.11.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/cmd-softworks/solara/raw/main/Solara.Dir.zip

BootstrapperV1.11.exe

Remote address:

20.26.156.215:443

Request

GET /cmd-softworks/solara/raw/main/Solara.Dir.zip HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Fri, 02 Aug 2024 16:06:13 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/cmd-softworks/solara/main/Solara.Dir.zip
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: E900:3C6B29:1ED7917:2213E23:66AD045E
GET

https://raw.githubusercontent.com/cmd-softworks/solara/main/Solara.Dir.zip

BootstrapperV1.11.exe

Remote address:

185.199.110.133:443

Request

GET /cmd-softworks/solara/main/Solara.Dir.zip HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 8001069
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
ETag: "7c3a67aa5edfca3a079643c46cd2d96d74660fc02a140c95041970c643c1d8e0"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: F8E4:95BBF:56F6BC:6C1509:66AAB002
Accept-Ranges: bytes
Date: Fri, 02 Aug 2024 16:07:58 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4261-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1722614879.853250,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 859236df80e1bfc2852483e78102a8b9be5a095a
Expires: Fri, 02 Aug 2024 16:12:58 GMT
Source-Age: 105
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.27.104

www.google.com

IN A

142.250.27.147

www.google.com

IN A

142.250.27.103

www.google.com

IN A

142.250.27.105

www.google.com

IN A

142.250.27.99

www.google.com

IN A

142.250.27.106
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.27.104:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.27.104:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CN7nygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.27.104:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

94.27.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

94.27.250.142.in-addr.arpa

IN PTR

Response

94.27.250.142.in-addr.arpa

IN PTR

ra-in-f941e100net
DNS

95.102.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.102.250.142.in-addr.arpa

IN PTR

Response

95.102.250.142.in-addr.arpa

IN PTR

rb-in-f951e100net
DNS

104.27.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.27.250.142.in-addr.arpa

IN PTR

Response

104.27.250.142.in-addr.arpa

IN PTR

ra-in-f1041e100net
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.102.113

clients.l.google.com

IN A

142.250.102.139

clients.l.google.com

IN A

142.250.102.138

clients.l.google.com

IN A

142.250.102.100

clients.l.google.com

IN A

142.250.102.102

clients.l.google.com

IN A

142.250.102.101
DNS

113.102.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.102.250.142.in-addr.arpa

IN PTR

Response

113.102.250.142.in-addr.arpa

IN PTR

rb-in-f1131e100net

172.67.19.24:443

https://pastebin.com/raw/xr5Gb4Bn

tls, http

Bootstrapper.exe

778 B
4.4kB
9
9

HTTP Request

GET https://pastebin.com/raw/xr5Gb4Bn

HTTP Response

200
20.26.156.215:443

https://github.com/cmd-softworks/solara/raw/main/Bootstrapper.exe

tls, http

Bootstrapper.exe

802 B
7.6kB
9
9

HTTP Request

GET https://github.com/cmd-softworks/solara/raw/main/Bootstrapper.exe

HTTP Response

302
185.199.110.133:443

https://raw.githubusercontent.com/cmd-softworks/solara/main/Bootstrapper.exe

tls, http

Bootstrapper.exe

21.6kB
848.6kB
395
613

HTTP Request

GET https://raw.githubusercontent.com/cmd-softworks/solara/main/Bootstrapper.exe

HTTP Response

200
172.67.19.24:443

https://pastebin.com/raw/xr5Gb4Bn

tls, http

BootstrapperV1.11.exe

870 B
4.4kB
11
11

HTTP Request

GET https://pastebin.com/raw/xr5Gb4Bn

HTTP Response

200
128.116.119.4:443

https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live

tls, http

BootstrapperV1.11.exe

922 B
6.6kB
11
11

HTTP Request

GET https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live

HTTP Response

200
104.20.23.46:443

https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

tls, http

BootstrapperV1.11.exe

891 B
6.8kB
11
13

HTTP Request

GET https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

HTTP Response

307
104.20.22.46:443

https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

tls, http

BootstrapperV1.11.exe

34.2kB
1.7MB
720
1297

HTTP Request

GET https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

HTTP Response

200
20.26.156.215:443

https://github.com/cmd-softworks/solara/raw/main/Solara.Dir.zip

tls, http

BootstrapperV1.11.exe

800 B
7.5kB
9
8

HTTP Request

GET https://github.com/cmd-softworks/solara/raw/main/Solara.Dir.zip

HTTP Response

302
185.199.110.133:443

https://raw.githubusercontent.com/cmd-softworks/solara/main/Solara.Dir.zip

tls, http

BootstrapperV1.11.exe

155.7kB
8.3MB
3266
5919

HTTP Request

GET https://raw.githubusercontent.com/cmd-softworks/solara/main/Solara.Dir.zip

HTTP Response

200
142.250.27.104:443

https://www.google.com/async/newtab_promos

tls, http2

chrome.exe

2.4kB
9.8kB
22
25

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos
142.250.102.113:443

clients2.google.com

tls, http2

chrome.exe

2.2kB
8.1kB
12
9

8.8.8.8:53

pastebin.com

dns

BootstrapperV1.11.exe

116 B
106 B
2
1

DNS Request

pastebin.com

DNS Request

pastebin.com

DNS Response

172.67.19.24

104.20.4.235

104.20.3.235
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

132 B
90 B
2
1

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

github.com

dns

BootstrapperV1.11.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

24.19.67.172.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

24.19.67.172.in-addr.arpa
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

BootstrapperV1.11.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.109.133

185.199.108.133

185.199.111.133
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

clientsettings.roblox.com

dns

BootstrapperV1.11.exe

71 B
165 B
1
1

DNS Request

clientsettings.roblox.com

DNS Response

128.116.119.4
8.8.8.8:53

4.119.116.128.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

4.119.116.128.in-addr.arpa
8.8.8.8:53

www.nodejs.org

dns

BootstrapperV1.11.exe

180 B
92 B
3
1

DNS Request

www.nodejs.org

DNS Request

www.nodejs.org

DNS Request

www.nodejs.org

DNS Response

104.20.23.46

104.20.22.46
8.8.8.8:53

nodejs.org

dns

BootstrapperV1.11.exe

56 B
88 B
1
1

DNS Request

nodejs.org

DNS Response

104.20.22.46

104.20.23.46
8.8.8.8:53

46.23.20.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

46.23.20.104.in-addr.arpa
8.8.8.8:53

46.22.20.104.in-addr.arpa

dns

142 B
133 B
2
1

DNS Request

46.22.20.104.in-addr.arpa

DNS Request

46.22.20.104.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

github.com

dns

BootstrapperV1.11.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
156 B
1
1

DNS Request

www.google.com

DNS Response

142.250.27.104

142.250.27.147

142.250.27.103

142.250.27.105

142.250.27.99

142.250.27.106
142.250.27.104:443

www.google.com

https

chrome.exe

5.2kB
20.3kB
28
27
8.8.8.8:53

94.27.250.142.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

94.27.250.142.in-addr.arpa
8.8.8.8:53

95.102.250.142.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

95.102.250.142.in-addr.arpa
8.8.8.8:53

104.27.250.142.in-addr.arpa

dns

73 B
107 B
1
1

DNS Request

104.27.250.142.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
185 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.102.113

142.250.102.139

142.250.102.138

142.250.102.100

142.250.102.102

142.250.102.101
142.250.102.113:443

clients2.google.com

https

chrome.exe

5.0kB
8.1kB
12
11
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

113.102.250.142.in-addr.arpa

dns

74 B
108 B
1
1

DNS Request

113.102.250.142.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
93b5d7b17bbb8a98f8d7ad25662a8c36

SHA1
e546a9f265c883e041cf4eb58a4068aec82254ad

SHA256
2d1c133dbcd6482d06038880422b1644c8efbf248c6d976e5ada48c78e0d68c6

SHA512
bb84b687af84e940a4ad85f73ff2e784d3eacae20ba2f0f7aa264e68acc04477a630e76aeea9c1c8b09c56ec63d19246dee5127e361322784f1663cc32dd31e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d0ade9559efb4acf85c9d766f8473943

SHA1
761437da61993e6cf09abae5cadb519e5b58915c

SHA256
f7a54d459bc220bd1ba21522e6f35a783e04ab2209fd9182138200659da176d2

SHA512
44ecde01e3aca614454bac423f67ff00c84058e551b4b2f83203a8e3a20b78f72012bfc37fbfb97cedea54c7ba4c20c79399179b2fc44c983cf805e049c6085b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
64139f1d1f23fef79163581bcca7812b

SHA1
645669443ecb45ee2cc3c11d4763fc1d69d256a5

SHA256
9ff82d79ff009fdf2c6930511fed1f73f2bdccd701f67be82b72706cf6fd91c8

SHA512
4ba891824bcc653ddc4291b1abda369e79c5f871de4e23abbd06230adbf093d81a776ad0a838222d2fac883cb7f26730c145e8e85f8c6c45b44ee3b9fc6495b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
85427f21a0b11f372ebc97a14a6234f1

SHA1
409d7e44d30ed978449935ef48e0971831cf310d

SHA256
4ed41faab4cf5d78dbaccf3a13922003e20a0882c2af72e74103df3cfcde5ed3

SHA512
4c74926e08e56b1160326d1b9d6734cc7e36111983a5cec78a6c9d8fecaac5b0f788d0534993e039aaee87f323afee7c26a93c51f8b712a73a31b009c1ebcc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe

Filesize
795KB

MD5
365971e549352a15e150b60294ec2e57

SHA1
2932242b427e81b1b4ac8c11fb17793eae0939f7

SHA256
faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

SHA512
f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
1.5MB

MD5
cf7fa4babf20b3d11f76f15785a02a59

SHA1
c6d8dcb6f0253e44e8f644d497b4f261f178554b

SHA256
acae948ed87ed3146049e7009c133cf34b01deea85b163ca1c58967f1f8542e4

SHA512
552ad9758944143e7fada78dd9d922896d7fac450d6296fad83fb3a6e5bbd22ef2a1e47e478f674d87a9f18505703286faa7a3ece770255cde8eeaccac421963

Download Submit
memory/872-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/872-1-0x0000000000A20000-0x0000000000AEC000-memory.dmp

Filesize
816KB

Download
memory/872-2-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/872-3-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/872-4-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/872-17-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-18-0x00000000007C0000-0x000000000088E000-memory.dmp

Filesize
824KB

Download
memory/2968-428-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-26-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/2968-24-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2968-19-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-21-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-20-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.