Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
XoilaFixer.exe

Overview

General Information

Sample name:XoilaFixer.exe
Analysis ID:1647480
MD5:cd3c6e9d220bc5f45ccdbc65958b4595
SHA1:4b1c43a79d6f0827f87a797734ee2ec9cc361e17
SHA256:42e006cd726aa80af62ca03f177476b7c592bce5a77a4b3a074abda88e3dbe5d
Tags:exeuser-BastianHein
Infos:

Detection

XWorm
Score:96
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • XoilaFixer.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\XoilaFixer.exe" MD5: CD3C6E9D220BC5F45CCDBC65958B4595)
  • XoilaFixer.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\XoilaFixer.exe" MD5: CD3C6E9D220BC5F45CCDBC65958B4595)
  • XoilaFixer.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Roaming\XoilaFixer.exe" MD5: CD3C6E9D220BC5F45CCDBC65958B4595)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XoilaFixer.exeJoeSecurity_XWormYara detected XWormJoe Security
    XoilaFixer.exerat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
    • 0xa552:$str02: ngrok
    • 0xa592:$str02: ngrok
    • 0xa650:$str04: FileManagerSplitFileManagerSplit
    • 0xa570:$str05: InstallngC
    • 0xa28c:$str06: downloadedfile
    • 0xa25e:$str07: creatfile
    • 0xa240:$str08: creatnewfolder
    • 0xa222:$str09: showfolderfile
    • 0xa204:$str10: hidefolderfile
    • 0xa1d6:$str11: txtttt
    • 0xabff:$str12: \root\SecurityCenter2
    • 0xa6d6:$str13: [USB]
    • 0xa6bc:$str14: [Drive]
    • 0xa63e:$str15: [Folder]
    • 0xa540:$str16: HVNC
    • 0xac2b:$str19: Select * from AntivirusProduct
    • 0x9f98:$str20: runnnnnn
    • 0x9e38:$str21: RunBotKiller
    XoilaFixer.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xa897:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xa934:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xaa49:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xac8f:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\XoilaFixer.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\XoilaFixer.exerat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
      • 0xa552:$str02: ngrok
      • 0xa592:$str02: ngrok
      • 0xa650:$str04: FileManagerSplitFileManagerSplit
      • 0xa570:$str05: InstallngC
      • 0xa28c:$str06: downloadedfile
      • 0xa25e:$str07: creatfile
      • 0xa240:$str08: creatnewfolder
      • 0xa222:$str09: showfolderfile
      • 0xa204:$str10: hidefolderfile
      • 0xa1d6:$str11: txtttt
      • 0xabff:$str12: \root\SecurityCenter2
      • 0xa6d6:$str13: [USB]
      • 0xa6bc:$str14: [Drive]
      • 0xa63e:$str15: [Folder]
      • 0xa540:$str16: HVNC
      • 0xac2b:$str19: Select * from AntivirusProduct
      • 0x9f98:$str20: runnnnnn
      • 0x9e38:$str21: RunBotKiller
      C:\Users\user\AppData\Roaming\XoilaFixer.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xa897:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xa934:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xaa49:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xac8f:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xa697:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xa734:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xa849:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xaa8f:$cnc4: POST / HTTP/1.1
        00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmprat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
          • 0x9bc4:$str02: ngrok
          • 0x9c0e:$str02: ngrok
          • 0x9cd8:$str04: FileManagerSplitFileManagerSplit
          • 0x9be2:$str05: InstallngC
          • 0x98fe:$str06: downloadedfile
          • 0x98d0:$str07: creatfile
          • 0x98b2:$str08: creatnewfolder
          • 0x9894:$str09: showfolderfile
          • 0x9876:$str10: hidefolderfile
          • 0x9848:$str11: txtttt
          • 0xa21f:$str12: \root\SecurityCenter2
          • 0x9d5e:$str13: [USB]
          • 0x9d44:$str14: [Drive]
          • 0x9cc6:$str15: [Folder]
          • 0x9bb2:$str16: HVNC
          • 0xa24b:$str19: Select * from AntivirusProduct
          • 0x9670:$str20: runnnnnn
          • 0x9510:$str21: RunBotKiller
          00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x9f31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9fce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xa0e3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xa2af:$cnc4: POST / HTTP/1.1
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.XoilaFixer.exe.1b0b0000.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            1.2.XoilaFixer.exe.1b0b0000.1.raw.unpackrat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
            • 0x9bc4:$str02: ngrok
            • 0x9c0e:$str02: ngrok
            • 0x9cd8:$str04: FileManagerSplitFileManagerSplit
            • 0x9be2:$str05: InstallngC
            • 0x98fe:$str06: downloadedfile
            • 0x98d0:$str07: creatfile
            • 0x98b2:$str08: creatnewfolder
            • 0x9894:$str09: showfolderfile
            • 0x9876:$str10: hidefolderfile
            • 0x9848:$str11: txtttt
            • 0xa21f:$str12: \root\SecurityCenter2
            • 0x9d5e:$str13: [USB]
            • 0x9d44:$str14: [Drive]
            • 0x9cc6:$str15: [Folder]
            • 0x9bb2:$str16: HVNC
            • 0xa24b:$str19: Select * from AntivirusProduct
            • 0x9670:$str20: runnnnnn
            • 0x9510:$str21: RunBotKiller
            1.2.XoilaFixer.exe.1b0b0000.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x9f31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x9fce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xa0e3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xa2af:$cnc4: POST / HTTP/1.1
            1.0.XoilaFixer.exe.3e0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              1.0.XoilaFixer.exe.3e0000.0.unpackrat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
              • 0xa552:$str02: ngrok
              • 0xa592:$str02: ngrok
              • 0xa650:$str04: FileManagerSplitFileManagerSplit
              • 0xa570:$str05: InstallngC
              • 0xa28c:$str06: downloadedfile
              • 0xa25e:$str07: creatfile
              • 0xa240:$str08: creatnewfolder
              • 0xa222:$str09: showfolderfile
              • 0xa204:$str10: hidefolderfile
              • 0xa1d6:$str11: txtttt
              • 0xabff:$str12: \root\SecurityCenter2
              • 0xa6d6:$str13: [USB]
              • 0xa6bc:$str14: [Drive]
              • 0xa63e:$str15: [Folder]
              • 0xa540:$str16: HVNC
              • 0xac2b:$str19: Select * from AntivirusProduct
              • 0x9f98:$str20: runnnnnn
              • 0x9e38:$str21: RunBotKiller
              Click to see the 10 entries

              Sigma Signatures

              System Summary

              barindex
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XoilaFixer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XoilaFixer.exe, ProcessId: 7744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XoilaFixer

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • Networking
              • System Summary
              • Data Obfuscation
              • Persistence and Installation Behavior
              • Boot Survival
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • Language, Device and Operating System Detection
              • Stealing of Sensitive Information
              • Remote Access Functionality

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: XoilaFixer.exeAvira: detected
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeReversingLabs: Detection: 63%
              Source: XoilaFixer.exeVirustotal: Detection: 56%Perma Link
              Source: XoilaFixer.exeReversingLabs: Detection: 63%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: XoilaFixer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49692 version: TLS 1.2
              Source: XoilaFixer.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: global trafficTCP traffic: 192.168.2.6:49697 -> 185.172.175.125:505
              Source: global trafficHTTP traffic detected: GET /76bh/img/main/Imagenep.png HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
              Source: Joe Sandbox ViewIP Address: 185.172.175.125 185.172.175.125
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /76bh/img/main/Imagenep.png HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
              Source: global trafficDNS traffic detected: DNS query: abolhb.com
              Source: XoilaFixer.exe, 00000001.00000002.2450620075.000000000271A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
              Source: XoilaFixer.exe, 00000001.00000002.2450620075.0000000002671000.00000004.00000800.00020000.00000000.sdmp, XoilaFixer.exe, 00000001.00000002.2450620075.00000000026FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: XoilaFixer.exe, 00000001.00000002.2450620075.0000000002710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
              Source: XoilaFixer.exe, 00000001.00000002.2450620075.0000000002710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
              Source: XoilaFixer.exe, XoilaFixer.exe.1.drString found in binary or memory: https://raw.githubusercontent.com/76bh/img/main/Imagenep.png
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
              Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49692 version: TLS 1.2

              System Summary

              barindex
              Source: XoilaFixer.exe, type: SAMPLEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: XoilaFixer.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.0.XoilaFixer.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 1.0.XoilaFixer.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.XoilaFixer.exe.289b120.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 1.2.XoilaFixer.exe.289b120.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: XoilaFixer.exe PID: 7744, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: XoilaFixer.exe, 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs XoilaFixer.exe
              Source: XoilaFixer.exe, 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs XoilaFixer.exe
              Source: XoilaFixer.exe, 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs XoilaFixer.exe
              Source: XoilaFixer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: XoilaFixer.exe, type: SAMPLEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: XoilaFixer.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.0.XoilaFixer.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 1.0.XoilaFixer.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.XoilaFixer.exe.289b120.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 1.2.XoilaFixer.exe.289b120.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: XoilaFixer.exe PID: 7744, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: XoilaFixer.exe, Announced.csCryptographic APIs: 'TransformFinalBlock'
              Source: XoilaFixer.exe, Announced.csCryptographic APIs: 'TransformFinalBlock'
              Source: XoilaFixer.exe.1.dr, Announced.csCryptographic APIs: 'TransformFinalBlock'
              Source: XoilaFixer.exe.1.dr, Announced.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: XoilaFixer.exe.1.dr, Announced.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: XoilaFixer.exe.1.dr, Announced.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: XoilaFixer.exe, Announced.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: XoilaFixer.exe, Announced.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal96.troj.evad.winEXE@3/3@2/3
              Source: C:\Users\user\Desktop\XoilaFixer.exeFile created: C:\Users\user\AppData\Roaming\XoilaFixer.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMutant created: NULL
              Source: C:\Users\user\Desktop\XoilaFixer.exeMutant created: \Sessions\1\BaseNamedObjects\pkjQhJlF9B5aPdSm
              Source: XoilaFixer.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: XoilaFixer.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\XoilaFixer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: XoilaFixer.exeVirustotal: Detection: 56%
              Source: XoilaFixer.exeReversingLabs: Detection: 63%
              Source: C:\Users\user\Desktop\XoilaFixer.exeFile read: C:\Users\user\Desktop\XoilaFixer.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\XoilaFixer.exe "C:\Users\user\Desktop\XoilaFixer.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\XoilaFixer.exe "C:\Users\user\AppData\Roaming\XoilaFixer.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\XoilaFixer.exe "C:\Users\user\AppData\Roaming\XoilaFixer.exe"
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: XoilaFixer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: XoilaFixer.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Source: XoilaFixer.exe, Announced.cs.Net Code: Supervisors System.AppDomain.Load(byte[])
              Source: XoilaFixer.exe, Announced.cs.Net Code: Telescope System.Reflection.Assembly.Load(byte[])
              Source: XoilaFixer.exe.1.dr, Announced.cs.Net Code: Supervisors System.AppDomain.Load(byte[])
              Source: XoilaFixer.exe.1.dr, Announced.cs.Net Code: Telescope System.Reflection.Assembly.Load(byte[])
              Source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, Conviction.cs.Net Code: Surveillance System.Reflection.Assembly.Load(byte[])
              Source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, Conviction.cs.Net Code: Surveillance System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\XoilaFixer.exeCode function: 1_2_00007FF88B4E00BD pushad ; iretd 1_2_00007FF88B4E00C1
              Source: C:\Users\user\Desktop\XoilaFixer.exeCode function: 1_2_00007FF88B4E1545 push eax; retf 1_2_00007FF88B4E15AD
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeCode function: 8_2_00007FF88B4E00BD pushad ; iretd 8_2_00007FF88B4E00C1
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeCode function: 10_2_00007FF88B4E00BD pushad ; iretd 10_2_00007FF88B4E00C1
              Source: C:\Users\user\Desktop\XoilaFixer.exeFile created: C:\Users\user\AppData\Roaming\XoilaFixer.exeJump to dropped file
              Source: C:\Users\user\Desktop\XoilaFixer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XoilaFixerJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XoilaFixerJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeMemory allocated: C30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeMemory allocated: 1A670000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: 1A700000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: 1B070000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe TID: 2928Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe TID: 4508Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: XoilaFixer.exe, 00000001.00000002.2449455740.0000000000942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll 9
              Source: C:\Users\user\Desktop\XoilaFixer.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeQueries volume information: C:\Users\user\Desktop\XoilaFixer.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeQueries volume information: C:\Users\user\AppData\Roaming\XoilaFixer.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeQueries volume information: C:\Users\user\AppData\Roaming\XoilaFixer.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\XoilaFixer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: XoilaFixer.exe, type: SAMPLE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.XoilaFixer.exe.3e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.289b120.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.1b0b0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: XoilaFixer.exe PID: 7744, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: XoilaFixer.exe, type: SAMPLE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.1b0b0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.XoilaFixer.exe.3e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.289b120.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.289b120.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.XoilaFixer.exe.1b0b0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: XoilaFixer.exe PID: 7744, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              Registry Run Keys / Startup Folder              		1
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager13
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Process Injection              		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA SecretsInternet Connection DiscoverySSHKeylogging3
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647480 Sample: XoilaFixer.exe Startdate: 24/03/2025 Architecture: WINDOWS Score: 96 21 raw.githubusercontent.com 2->21 23 abolhb.com 2->23 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 3 other signatures 2->37 6 XoilaFixer.exe 1 2->6         started        10 XoilaFixer.exe 15 4 2->10         started        13 XoilaFixer.exe 2->13         started        signatures3 process4 dnsIp5 15 C:\Users\user\AppData\...\XoilaFixer.exe.log, CSV 6->15 dropped 39 Antivirus detection for dropped file 6->39 41 Multi AV Scanner detection for dropped file 6->41 25 abolhb.com 185.172.175.125, 505 HUGESERVER-NETWORKSUS Lithuania 10->25 27 raw.githubusercontent.com 185.199.111.133, 443, 49692 FASTLYUS Netherlands 10->27 29 127.0.0.1 unknown unknown 10->29 17 C:\Users\user\AppData\...\XoilaFixer.exe, PE32 10->17 dropped 19 C:\Users\...\XoilaFixer.exe:Zone.Identifier, ASCII 10->19 dropped file6 signatures7

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              XoilaFixer.exe56%VirustotalBrowse
              XoilaFixer.exe64%ReversingLabsByteCode-MSIL.Trojan.Zilla
              XoilaFixer.exe100%AviraTR/Dropper.Gen

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\XoilaFixer.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\XoilaFixer.exe64%ReversingLabsByteCode-MSIL.Trojan.Zilla

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://raw.githubusercont0%Avira URL Cloudsafe

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              abolhb.com
              		185.172.175.125
              		truefalse
                		high
                raw.githubusercontent.com
                		185.199.111.133
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://raw.githubusercontent.com/76bh/img/main/Imagenep.pngfalse
                    		high
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://raw.githubusercontXoilaFixer.exe, 00000001.00000002.2450620075.0000000002710000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://raw.githubusercontent.comXoilaFixer.exe, 00000001.00000002.2450620075.0000000002710000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXoilaFixer.exe, 00000001.00000002.2450620075.0000000002671000.00000004.00000800.00020000.00000000.sdmp, XoilaFixer.exe, 00000001.00000002.2450620075.00000000026FE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://raw.githubusercontent.comXoilaFixer.exe, 00000001.00000002.2450620075.000000000271A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.199.111.133
                          		raw.githubusercontent.comNetherlands
                          		54113FASTLYUSfalse
                          185.172.175.125
                          		abolhb.comLithuania
                          		25780HUGESERVER-NETWORKSUSfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1647480
                          Start date and time:2025-03-24 22:03:15 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 12s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:XoilaFixer.exe
                          Detection:MAL
                          Classification:mal96.troj.evad.winEXE@3/3@2/3
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 33
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 184.31.69.3, 20.109.210.53, 4.175.87.197
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target XoilaFixer.exe, PID 5348 because it is empty
                          • Execution Graph export aborted for target XoilaFixer.exe, PID 7412 because it is empty
                          • Execution Graph export aborted for target XoilaFixer.exe, PID 7744 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:05:10API Interceptor19x Sleep call for process: XoilaFixer.exe modified
                          22:04:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XoilaFixer C:\Users\user\AppData\Roaming\XoilaFixer.exe
                          22:04:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XoilaFixer C:\Users\user\AppData\Roaming\XoilaFixer.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                          cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                          185.172.175.125btoawpdtjhjawd.exeGet hashmaliciousXWormBrowse
                            Output.exeGet hashmaliciousXWormBrowse
                              SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                Output.exeGet hashmaliciousXWormBrowse
                                  COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                    mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                      XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                        23khy505ab.exeGet hashmaliciousNjratBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          raw.githubusercontent.comLauncherV8.exeGet hashmaliciousLummaC Stealer, Salat StealerBrowse
                                          • 185.199.109.133
                                          iwr.batGet hashmaliciousQuasarBrowse
                                          • 185.199.110.133
                                          setup.exeGet hashmaliciousUnknownBrowse
                                          • 185.199.111.133
                                          setup.exeGet hashmaliciousUnknownBrowse
                                          • 185.199.108.133
                                          https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dllGet hashmaliciousUnknownBrowse
                                          • 185.199.108.133
                                          GADAR.exeGet hashmaliciousUnknownBrowse
                                          • 185.199.110.133
                                          GADAR.exeGet hashmaliciousUnknownBrowse
                                          • 185.199.108.133
                                          https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exeGet hashmaliciousUnknownBrowse
                                          • 185.199.110.133
                                          iroklas.exeGet hashmaliciousLummaC StealerBrowse
                                          • 185.199.109.133
                                          gyazowin.exeGet hashmaliciousLummaC StealerBrowse
                                          • 185.199.109.133
                                          abolhb.combtoawpdtjhjawd.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          Output.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          Output.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                          • 185.172.175.125
                                          XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                          • 185.172.175.125
                                          23khy505ab.exeGet hashmaliciousNjratBrowse
                                          • 185.172.175.125

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          FASTLYUSRECIPIENT_DOMAIN_NAME.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                          • 185.199.110.133
                                          #Ud83d#Udd0aAudio_Msg Umanitoba.xhtmlGet hashmaliciousHTMLPhisherBrowse
                                          • 199.232.192.193
                                          Acgsys#receipt0191.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                          • 185.199.108.133
                                          0064_QB_Payment_Statemnt87T.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                          • 151.101.130.137
                                          https://tfsgroups.com/contact-2/Get hashmaliciousUnknownBrowse
                                          • 151.101.129.229
                                          Sbafla response to shift in trend.msgGet hashmaliciousUnknownBrowse
                                          • 151.101.129.229
                                          https://8tf7eelab.cc.rs6.netGet hashmaliciousUnknownBrowse
                                          • 151.101.129.140
                                          Brave.exeGet hashmaliciousUnknownBrowse
                                          • 151.101.65.91
                                          702cb6e..emlGet hashmaliciousHTMLPhisherBrowse
                                          • 151.101.130.137
                                          702cb6e..emlGet hashmaliciousHTMLPhisherBrowse
                                          • 151.101.194.137
                                          HUGESERVER-NETWORKSUSbtoawpdtjhjawd.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          Output.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          Output.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                          • 185.172.175.125
                                          Nexol.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, XWormBrowse
                                          • 185.172.175.147
                                          mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                          • 185.172.175.125
                                          5BADc9D4Ir.exeGet hashmaliciousAmadey, SystemBCBrowse
                                          • 185.133.35.21
                                          https://share.hsforms.com/1_vnkKmfHQN2JeD59Dlknqg2nxhoGet hashmaliciousHTMLPhisherBrowse
                                          • 62.192.173.178
                                          FW Luis Quezada Signed.msgGet hashmaliciousHTMLPhisherBrowse
                                          • 62.192.173.178

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0egeneral.ps1Get hashmaliciousUnknownBrowse
                                          • 185.199.111.133
                                          general.ps1Get hashmaliciousKdot StealerBrowse
                                          • 185.199.111.133
                                          Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 185.199.111.133
                                          INGOE04.jsGet hashmaliciousAgentTeslaBrowse
                                          • 185.199.111.133
                                          COMPROVATIVO-14996813-MAR#U00c7O-ANCZ0-PD9BC - 208.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                          • 185.199.111.133
                                          25-03-25.exeGet hashmaliciousAgentTeslaBrowse
                                          • 185.199.111.133
                                          RFQ 11054.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 185.199.111.133
                                          Price Inquiry PO 211436.pdf.z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 185.199.111.133
                                          3-25.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 185.199.111.133
                                          PO202503BE.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 185.199.111.133

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XoilaFixer.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\XoilaFixer.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):654
                                          Entropy (8bit):5.380476433908377
                                          Encrypted:false
                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                          C:\Users\user\AppData\Roaming\XoilaFixer.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\XoilaFixer.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):50176
                                          Entropy (8bit):5.579413998347093
                                          Encrypted:false
                                          SSDEEP:768:nwj1+sT2ijuJ4lJ87040qY1guzb+MMyklxfr1puhJOWF82o9Ze:nwjzT2iL/q8rb+MM/2bOH9k
                                          MD5:CD3C6E9D220BC5F45CCDBC65958B4595
                                          SHA1:4B1C43A79D6F0827F87A797734EE2EC9CC361E17
                                          SHA-256:42E006CD726AA80AF62CA03F177476B7C592BCE5A77A4B3A074ABDA88E3DBE5D
                                          SHA-512:00A6980EF286A075F18927364D200645695CA3B8AB3660B92135DE61BA688B1717B193A5EC2B79A0AFD9910DB42573A9C19520FD2D9DD5176F7A13E5135C2C31
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Joe Security
                                          • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Sekoia.io
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 64%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g................................. ........@.. ....................... ............@.................................P...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(t..(d......&.....................................................(....*.r...p*. ~.H.*..(....*.r...p*. E/..*.s.........s.........s.........s.........*.r/..p*. M.).*.rC..p*. .6p.*.rY..p*. .O..*.ro..p*. .x!.*.r...p*. ....*..()...*.r...p*. *p{.*.r+..p*.+5s>... .... ....o?...(@...~....-.(6...(0...~....oA...&.-.*.r...p*. \...*.r...p*. ..c.*.r...p*. ....*"(7...+.*:.t....(3...+.*.r...p*. V.;.*.r...p*. ...*.r...p*. ..e.*.r...p*.r...p*. ...*.r...p*. . ..*.r...p*. E.A.*.r1..p

                                          C:\Users\user\AppData\Roaming\XoilaFixer.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\XoilaFixer.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):5.579413998347093
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:XoilaFixer.exe
                                          File size:50'176 bytes
                                          MD5:cd3c6e9d220bc5f45ccdbc65958b4595
                                          SHA1:4b1c43a79d6f0827f87a797734ee2ec9cc361e17
                                          SHA256:42e006cd726aa80af62ca03f177476b7c592bce5a77a4b3a074abda88e3dbe5d
                                          SHA512:00a6980ef286a075f18927364d200645695ca3b8ab3660b92135de61ba688b1717b193a5ec2b79a0afd9910db42573a9c19520fd2d9dd5176f7a13e5135c2c31
                                          SSDEEP:768:nwj1+sT2ijuJ4lJ87040qY1guzb+MMyklxfr1puhJOWF82o9Ze:nwjzT2iL/q8rb+MM/2bOH9k
                                          TLSH:AD33D7C9A3D50132C1FF5AB219F3520A92F4A593481AC75EBCD515DA3BA7BC88640FE3
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................... ............@................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x40d89e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x67E18AE7 [Mon Mar 24 16:40:07 2025 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd8500x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x5ca.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb8a40xba00fa2cf7d3d27950b16db0ceceb9d26120False0.435525873655914data5.663366865089623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xe0000x5ca0x6003e2607ab137e445929296ac559c79835False0.4192708333333333data4.145944420748221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x100000xc0x20017acbfaf4a563f1c238819a61b0d67b2False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xe0a00x340data0.41466346153846156
                                          RT_MANIFEST0xe3e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          Comments%Des%
                                          CompanyName%Company%
                                          FileDescription%Title%
                                          FileVersion1.0.0.0
                                          InternalNameXoilaFixer.exe
                                          LegalCopyright%Copyright%
                                          LegalTrademarks%Trademark%
                                          OriginalFilenameXoilaFixer.exe
                                          ProductName%Product%
                                          ProductVersion1.0.0.0
                                          Assembly Version1.0.0.0

                                          Network Behavior

                                          Download Network PCAP: filteredfull

                                          Network Port Distribution

                                          • Total Packets: 47
                                          • 505 undefined
                                          • 443 (HTTPS)
                                          • 53 (DNS)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 24, 2025 22:04:10.226284027 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.226336956 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.226397991 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.244524956 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.244555950 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.449603081 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.449729919 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.454910994 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.454926014 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.455336094 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.510746002 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.519006014 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.560328960 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.751969099 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.752041101 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.752090931 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.752091885 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.752105951 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.752157927 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.755753040 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.759624958 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.759701014 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.759726048 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.763326883 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.763395071 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.763408899 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.768218040 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.768302917 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.768326044 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.772058964 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.772115946 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.772130013 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.776015043 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.776067972 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.776082039 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.783350945 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.783402920 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.783411026 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.783430099 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.783468008 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.786925077 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.789496899 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.789544106 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.789556026 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.789573908 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.789611101 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.792974949 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.793076038 CET44349692185.199.111.133192.168.2.6
                                          Mar 24, 2025 22:04:10.793243885 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:10.807928085 CET49692443192.168.2.6185.199.111.133
                                          Mar 24, 2025 22:04:16.850900888 CET49697505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:17.854492903 CET49697505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:19.854490995 CET49697505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:23.854552031 CET49697505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:31.870210886 CET49697505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:42.137192011 CET49705505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:43.151531935 CET49705505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:45.151489973 CET49705505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:49.167073965 CET49705505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:04:57.167052984 CET49705505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:07.403001070 CET49714505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:08.417166948 CET49714505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:10.417057037 CET49714505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:14.417088985 CET49714505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:22.432729959 CET49714505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:31.824884892 CET49722505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:32.838964939 CET49722505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:34.854628086 CET49722505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:38.854720116 CET49722505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:46.870346069 CET49722505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:56.465588093 CET49730505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:57.479644060 CET49730505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:05:59.479628086 CET49730505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:06:03.495356083 CET49730505192.168.2.6185.172.175.125
                                          Mar 24, 2025 22:06:11.495294094 CET49730505192.168.2.6185.172.175.125
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 24, 2025 22:04:10.110701084 CET6374853192.168.2.61.1.1.1
                                          Mar 24, 2025 22:04:10.218833923 CET53637481.1.1.1192.168.2.6
                                          Mar 24, 2025 22:04:16.732835054 CET5248153192.168.2.61.1.1.1
                                          Mar 24, 2025 22:04:16.840832949 CET53524811.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Mar 24, 2025 22:04:10.110701084 CET192.168.2.61.1.1.10xc79aStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                          Mar 24, 2025 22:04:16.732835054 CET192.168.2.61.1.1.10x73a5Standard query (0)abolhb.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Mar 24, 2025 22:04:10.218833923 CET1.1.1.1192.168.2.60xc79aNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                          Mar 24, 2025 22:04:10.218833923 CET1.1.1.1192.168.2.60xc79aNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                          Mar 24, 2025 22:04:10.218833923 CET1.1.1.1192.168.2.60xc79aNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                          Mar 24, 2025 22:04:10.218833923 CET1.1.1.1192.168.2.60xc79aNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                          Mar 24, 2025 22:04:16.840832949 CET1.1.1.1192.168.2.60x73a5No error (0)abolhb.com185.172.175.125A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • raw.githubusercontent.com

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.649692185.199.111.1334437744C:\Users\user\Desktop\XoilaFixer.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-24 21:04:10 UTC101OUTGET /76bh/img/main/Imagenep.png HTTP/1.1
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          2025-03-24 21:04:10 UTC875INHTTP/1.1 200 OK
                                          Connection: close
                                          Content-Length: 31476
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: image/png
                                          ETag: "0aee22d8b1a8775302266ace0e8334efbe5be1447d6735d7fc3415ee954bc813"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: 4F52:2E2D51:AD81:E0A9:67E1C8C9
                                          Accept-Ranges: bytes
                                          Date: Mon, 24 Mar 2025 21:04:10 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lga21966-LGA
                                          X-Cache: MISS
                                          X-Cache-Hits: 0
                                          X-Timer: S1742850251.579615,VS0,VE123
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 530a6ca23dff7e97e90077ffc6e767ececed227a
                                          Expires: Mon, 24 Mar 2025 21:09:10 GMT
                                          Source-Age: 0
                                          2025-03-24 21:04:10 UTC1378INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 b8 00 00 00 00 01 08 06 00 00 00 15 9f 30 71 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 7a 89 49 44 41 54 78 5e ed dd 79 e0 77 dd d7 d0 f3 27 b9 cd 43 48 78 cc b3 50 99 33 67 4c 86 c8 2c 25 f3 3c 66 96 0c a5 90 29 b3 48 14 32 97 24 44 28 95 cc 43 91 84 a8 cc 19 43 32 25 e7 d5 ef fb ae f5 2c e7 9c cf e7 73 5d d7 7d dd f7 f3 b8 fe 58 df 73 ce da 6b de 6b af bd cf 3e e7 7c be 5f f5 ad bf ea ab 7e f6 1f 7a c0 5f 7f c0 57 1d f0 f5 df 8e c1 cf bf ae 8f 3f 3f 07 ba fe a1 e3 fc 0c 7e 87 13 dc 17 09 7f e9 ba fe 25 0e f8 55 0f f8 67 df ce e1 7e c8 01 bf f0 01 ff e6 01 bf fa 01 7c fc 7a 07 fc 5e 03 f7
                                          Data Ascii: PNGIHDR0qsRGBgAMAapHYsodzIDATx^yw'CHxP3gL,%<f)H2$D(CC2%,s]}Xskk>|_~z_W??~%Ug~|z^
                                          2025-03-24 21:04:10 UTC1378INData Raw: 2b 3e 3c 47 c3 cf fe 69 07 6c 7d 3f f6 80 2b 3e 3e 7c db 03 cc 65 f1 fd 8d 07 c8 55 be cf fa a6 0f d5 c0 bf e3 00 e3 9f ad b5 19 ff df f0 00 fa fe db 03 a6 be 6f 74 80 7c ae 0e 01 ba d0 07 e4 92 89 3f 1a 35 48 4d 99 be 90 d3 9a 6d fb 82 5f bd eb de 76 f2 fd bd 07 5c f1 fd d4 03 8c 1b 79 b7 6b 82 fb a2 2b 3e fd a8 b6 fd 8e 07 7c 76 c0 e4 13 f3 2b be 7f ee 00 6b 68 eb 9d 5d 13 fe 9b 03 ae f8 7e b7 03 d8 43 f6 ee e3 e2 79 c6 a7 de 7d a7 03 fe ce 03 b6 3e fb ce 57 7c 72 c9 bd b5 79 7d 8f 5f 73 e4 15 df f7 3b e0 0f 3f 40 ad d1 3e f9 8c d1 2b 3e f3 80 78 aa 45 db 3f fb 1d 57 7c 72 d7 5e b9 31 b7 f9 fe 92 03 ce f8 b4 59 1f 5f b5 99 97 ae f4 c9 cb 7f f2 80 f6 78 26 9f da 7c c5 a7 5f cd 8f 67 f9 a2 56 5c f1 fd bb 07 b8 4f d4 ef 5b df ff 72 c0 95 0f f6 bb bb c7 d8
                                          Data Ascii: +><Gil}?+>>|eUot|?5HMm_v\yk+>|v+kh]~Cy}>W|ry}_s;?@>+>xE?W|r^1Y_x&|_gV\O[r
                                          2025-03-24 21:04:10 UTC1378INData Raw: 3e bb fe df 3a f8 27 2e d6 61 ee b3 ee ee 49 f0 7f 51 6b da 33 dd 62 71 b6 c6 ed 3d b3 47 39 61 4c f1 f5 3f 3c 80 5d ae ff fd 03 9e bd ef 32 56 ca f5 b3 58 5f e5 14 bb e7 fb 6b ec a6 cf 7b 26 e1 c0 2b 72 c5 8d 5c ef 9c d4 56 dc ce 72 c8 7b 4a 9b 6e c7 47 4e 58 bb ce be 9a f7 85 f5 d5 7c ff e1 4e e7 d9 d8 98 ef b1 c3 e9 bf 47 39 78 26 fb 5d c7 84 3e 7f a5 bf dd 37 9c c5 ea d9 38 cb b5 0f 91 77 f6 dd f4 bb f6 5d 67 dd 8f 58 0b b2 e9 6b c3 78 65 af f9 e5 43 de 8f 99 a7 ae da 9c ef fd 1e f3 fb 7c 87 76 c3 be df b1 af 3c eb 8b be 9b d7 fc e9 1c ec fb af e6 d3 ee c3 e4 40 ed 60 c6 4e 8d 69 7d eb 3d 84 f0 62 cf 1f 31 b9 8a 1d 78 26 0e 6c 9a 39 bd 41 be b5 d7 4b df 95 3f ad 0f e6 1e 30 98 b2 ab 99 fa 34 9c be 34 7e 1c b5 d7 b7 de a9 89 86 dd 78 d0 59 47 44 27 6f
                                          Data Ascii: >:'.aIQk3bq=G9aL?<]2VX_k{&+r\Vr{JnGNX|NG9x&]>78w]gXkxeC|v<@`Ni}=b1x&l9AK?044~xYGD'o
                                          2025-03-24 21:04:10 UTC1378INData Raw: a5 6f 11 e7 bb fa 33 96 be c5 7c 25 96 ee 83 be ec b1 e4 b3 3a 70 e5 b3 f7 77 5e f1 d9 bd d7 33 76 7f e7 03 26 bf fd 88 67 62 e4 1e 75 f2 d9 1b ed 39 97 f7 95 ba f7 a4 cb fc a0 ee 69 53 c7 c0 e4 25 6f ee 7f d1 6f 2e 17 13 be 5c c5 c4 6f 0d bc 12 13 fb 05 cf f8 76 b5 2e f7 0e e2 d4 87 e7 d9 75 f9 33 7d 31 9f 71 a2 87 9b f4 7c 99 6b e5 39 8f 34 96 d8 39 e9 8b a3 df 96 98 df db cc 38 fa be f7 95 38 7a ae a7 dd 77 c8 b3 9d 2c bf 7b 32 65 3d 13 ef fd fb 1f e2 87 c6 da cd 5a 77 b7 f5 2c d9 f1 51 5c d1 b9 b6 de f0 0e c0 94 55 1b 1b 3c 5f 9b 6d c5 cd fe ce 55 dc 7c bb fc 4a dc b4 9d f1 7d 91 73 bb 71 77 e5 9f 9c 79 c5 3f fb d2 67 7c 57 fe ed bd c6 67 72 e5 ee f7 19 b6 ad ef ba f6 fa b2 ec a9 ea 1f df c2 5b a7 84 9f fd f3 33 0e 78 a5 7f 8c 9d 67 62 7c 35 16 dc 77
                                          Data Ascii: o3|%:pw^3v&gbu9iS%oo.\ov.u3}1q|k94988zw,{2e=Zw,Q\U<_mU|J}sqwy?g|Wgr[3xgb|5w
                                          2025-03-24 21:04:10 UTC1378INData Raw: 2e dc fc 1f 61 e9 99 cf 21 b6 1e f7 6e fa c4 9a 72 f6 c9 a4 51 cf a7 2d bb e6 d3 b1 d7 54 93 df 33 a2 47 3a 7c ef 36 75 bc ab bf 53 a6 df 1f a5 d7 fb 20 57 7a d9 ee 7a ca 28 b7 9e a9 ef be ef d5 76 55 df e9 91 5b f2 c1 ef 72 95 8f e1 1d e5 60 bf a7 23 df cc 33 07 f3 cf 85 b3 31 f3 ec 3d 04 f9 8d 93 dd f6 ac 0c 74 fa 65 d2 7d 1e b5 65 eb 85 7b b6 de b8 df 75 af 1c 9e df d5 1b 6b b4 19 bb bb 7a a3 9e ca 45 f4 8f ee 4b cf de ab f7 7b b5 13 27 47 fd 4f a7 89 63 2f dc 95 bd d6 45 af d8 0b 3e 4f 7b 3d f7 f3 bf dc 66 0d c6 3b df 7d 47 77 65 83 3c c9 86 f9 5e 17 1e b1 f0 7b 2f 57 b1 30 c7 be 12 0b b9 f1 b5 25 16 57 ef b2 aa 5b 57 f1 60 e3 2b f1 d0 76 c6 f7 45 ae 0d fc 1f c9 f9 bf 87 a6 7f f6 74 5e f1 af f7 ba 37 df b3 b5 0d cf a3 5c b9 da 7f fa c7 df ae e1 b3 f5
                                          Data Ascii: .a!nrQ-T3G:|6uS Wzz(vU[r`#31=te}e{ukzEK{'GOc/E>O{=f;}Gwe<^{/W0%W[W`+vEt^7\
                                          2025-03-24 21:04:10 UTC1378INData Raw: c3 d9 ff 4a 43 e7 88 86 2e f4 64 c3 15 93 b3 f9 7c 7f c3 ae ce 36 8f 5c f1 5d f9 d9 fc fb 48 e7 0f 3f c1 9d 7d 8b f0 23 16 ee 91 5c ef ed 4c 1c 5f fa fe 61 ce fd ec 3f 5b 5b 7f d1 3e cb 13 76 fd c8 37 5c 78 f7 77 8f de d1 2d 87 ee de d1 95 1b 74 f4 8e ae eb f0 8e 72 68 be a3 eb 3b 86 83 f9 e7 82 dc b3 b7 79 35 7e ec f3 7d d9 c6 8f 3a d5 f8 61 ff d5 f8 41 e7 a8 bd f1 43 2f 9c 23 f9 67 fd 7a 37 7e ae f8 9e c9 a5 3b 9d cf 8e 9f 1f b5 70 8f e4 7e 88 f1 f3 45 fa 8c 9f 5d 3f fa 0d 17 fe 99 f1 c3 0e 6d 77 e3 47 6e d0 d1 f8 71 1d de 51 0e 3d 1a 3f 9e 71 93 91 0e 7c 8d 1f ef bf 3f 3b 7e 5a 53 9d f1 5d dd 0b be eb 9e 17 dc 59 9f 9c dd 0b fa 86 fb ca 3f fb 22 af f8 d7 7b af 9b ef 43 de cb 5f ad a7 fc 96 e7 b6 f5 d1 7a 8a bc fd de eb e7 d1 17 ef 73 af 6e 1c f1 25 fc
                                          Data Ascii: JC.d|6\]H?}#\L_a?[[>v7\xw-trh;y5~}:aAC/#gz7~;p~E]?mwGnqQ=?q|?;~ZS]Y?"{C_zsn%
                                          2025-03-24 21:04:10 UTC1378INData Raw: 4b ba f2 47 7f bc e2 8f 5c 7c 64 27 fe 7f eb 80 c9 2f 3f d8 e2 37 fc e6 1e d0 b4 c5 6f 82 7e ec d8 16 bb 47 3e 91 f9 6f 1f 50 1b 99 fc f1 9b 31 57 fe f8 ff 72 cf fa a3 d6 fd df 6f b8 e0 99 38 5f d5 3a f3 c4 d4 6d 1f ed 8b a8 75 6c bd 93 f7 ea ff 8a a5 f3 4e 9e ff dd 81 d6 d1 5e 33 9c df 43 86 73 dc f2 b4 9f d5 e2 e2 f5 79 ee 8f bb e6 a3 fe 4a 47 63 65 ca ff 32 d6 ec e9 c3 b6 ef cb f0 ff 68 b3 4f dc b7 7d e5 48 79 c1 be ea c0 c7 b2 4f ed f0 fb 3f b3 76 b1 85 6e f9 e0 7b ed 57 6a 87 df 9d 23 bb 36 f3 a7 f5 71 d7 d5 0d 75 f3 b3 03 e8 df ff a3 55 bb 7d de cd f7 3e 75 68 7f 8b f6 ca b3 36 72 f7 dc 3e c7 2e fd cf d6 82 6a d5 5d 2d 78 54 5b 66 ed ab 56 dd d5 3e 34 77 f2 66 ed ab 56 f1 19 ce 71 cb 43 73 27 cf fa 06 ad a3 38 c3 f9 9f c5 70 8e 5b 9e f6 b3 da f7 ca
                                          Data Ascii: KG\|d'/?7o~G>oP1Wro8_:mulN^3CsyJGce2hO}HyO?vn{Wj#6quU}>uh6r>.j]-xT[fV>4wfVqCs'8p[
                                          2025-03-24 21:04:10 UTC1378INData Raw: 7c d8 b9 ef 6d d5 3d cf 3d 27 0e 58 93 79 bf 4b cc e0 ad c9 c4 87 fd de 13 9b df 26 a2 67 4f 73 4a fd c4 67 df cf d0 af cd 11 de fa 4d dc c4 9a 1e f7 69 8d 4f 7a ac a1 e9 30 47 4e 1d ec 3f 5b 3b fa 1f 04 93 ff 8c 0e 6e df eb f3 27 9b ca 81 6c 0f 9f ed fd 1f 20 63 c2 f7 74 6c 3f 8b 27 3b ea 6b eb b3 d6 93 bb bf e6 fe 19 98 7b 18 74 7e c8 fe d2 f6 53 0e 98 31 12 5f fe 4e 39 57 7d 68 2d 5c 1c 8a cb ec c3 fa eb 27 1c 30 e5 d1 eb 79 ec a3 be 89 df 78 9b 78 36 b0 df f8 76 c4 fb 13 0f 98 34 67 f2 9e d5 0b f7 a1 72 c2 f1 95 9c a8 5e 92 07 3f ff b7 0b 98 f3 2d 7d 67 fd 9b 0f f3 3e a0 f1 b9 ff 97 17 9c f7 12 37 ce f7 ca 13 a7 4f ed 6d ed ff c5 51 1f f9 ae 73 d2 f3 8d 7e 6d f6 9d 66 9b 9c fe b6 07 d8 63 ce ee 60 d6 33 b0 e7 3f bf 95 31 af c5 6b 5e 8b e7 1f 75 40 f9
                                          Data Ascii: |m=='XyK&gOsJgMiOz0GN?[;n'l ctl?';k{t~S1_N9W}h-\'0yxx6v4gr^?-}g>7OmQs~mfc`3?1k^u@
                                          2025-03-24 21:04:10 UTC1378INData Raw: f7 9e 64 35 0d cf b3 63 cb de e2 ac 6d f0 62 a9 46 18 5b f2 84 cc f0 5f f6 fa e6 1b 2e e0 fc ae 3f f9 05 37 7f 83 0d a8 29 9d d7 9f f6 83 66 8c d8 b9 f7 4e d0 d9 fb d8 74 7f ca db f5 a4 33 7e 40 74 c6 23 ff e6 38 d3 97 f0 fb 9e 5b 6c c5 ca d8 74 9c 3c 70 6a e1 c4 35 6f eb 4b c0 3e d7 68 ad 0f 26 ad 3a 8e 1f 9e 9d df e6 80 69 27 1e 74 5b e7 8c 59 b8 b3 7b f4 ea b4 3d 8d 2d f7 ee 9e 5e bb 78 4c bd 9e 4f 7b cf 4f 7e 88 49 b4 6a a7 b8 4c de b3 67 13 6c d1 b6 ef fb e1 c8 9b ba 1a 33 d9 af 4f a7 fd 68 d8 61 3f fc 4a 2e 19 b5 89 f3 94 ef 1e c6 33 3e 6d 7b 9f 21 d9 72 df d1 35 ff f8 29 67 ca 85 33 1f d1 db 4f bd 1a a7 ad 1f af 7c 7a df b1 ea 9c 9f 68 a3 6b 7e 69 9e f2 8c b1 67 b9 d5 bd 09 d1 b7 4f f2 97 1f f0 fd df ce e9 8c ee 0a fe f1 37 70 2e 16 bb 1e 88 c1 9c
                                          Data Ascii: d5cmbF[_.?7)fNt3~@t#8[lt<pj5oK>h&:i't[Y{=-^xLO{O~IjLgl3Oha?J.3>m{!r5)g3O|zhk~igO7p.
                                          2025-03-24 21:04:10 UTC1378INData Raw: b8 e7 89 de da 4d 5b df b1 84 f7 bc 86 de e4 84 f7 6c 47 3e 6e bc 35 15 f9 d9 93 5e f7 6b f4 79 67 c3 dc 1a 3d 1a 31 de 76 7a 1f d4 3d e1 a6 97 eb 67 fe 1a b7 78 c3 9b 6f e1 c9 26 f7 3b 1e a0 de 87 6f df c5 f3 ae 69 bf 35 87 73 fb 55 68 c3 7b 8e 62 ec 6d bc fe 3b a3 ff d1 6f e7 1b ff 27 1f 70 26 c7 fb e0 67 f4 ec 74 6e 4e d8 79 72 86 f7 6e 92 fa 43 de c4 8b 83 f3 e4 17 e7 f6 4e c4 62 f6 d7 77 3a 80 9c 8d d7 4f e8 d5 32 79 91 7c ef 62 c2 d7 5f e5 ed 77 3d 00 de 77 0e ec 09 6f fe 83 d7 cf c6 50 f2 8d 47 78 cf 50 f4 69 f4 ee 2b e9 8a 3e bd 6a 32 fa ed ef 0f 3e 80 fd 3b 4f 8c 3b f8 1d 37 f9 79 46 4f ce f4 2b bc 35 91 f3 2d e7 1f 79 3b df f4 f6 d1 be fa 80 4d ef 7d 72 35 6b eb fd 9e 07 e0 0f 5f 7c e4 aa 98 6c f9 de 2d 3d 1b 8f fa 48 1c b7 7c ef b7 d3 bb e9 ed
                                          Data Ascii: M[lG>n5^kyg=1vz=gxo&;oi5sUh{bm;o'p&gtnNyrnCNbw:O2y|b_w=woPGxPi+>j2>;O;7yFO+5-y;M}r5k_|l-=H|


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          • File
                                          • Registry
                                          • Network

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:1
                                          Start time:17:04:08
                                          Start date:24/03/2025
                                          Path:C:\Users\user\Desktop\XoilaFixer.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\XoilaFixer.exe"
                                          Imagebase:0x3e0000
                                          File size:50'176 bytes
                                          MD5 hash:CD3C6E9D220BC5F45CCDBC65958B4595
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1208693955.00000000003E2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.2451612510.000000001B0B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.2450620075.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.2450620075.000000000273E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false
                                          Show Windows behavior

                                          File Activities

                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          Mutex Activities

                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          Show Windows behavior

                                          System Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Network Activities

                                          Process Token Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          General

                                          Target ID:8
                                          Start time:17:04:20
                                          Start date:24/03/2025
                                          Path:C:\Users\user\AppData\Roaming\XoilaFixer.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Roaming\XoilaFixer.exe"
                                          Imagebase:0x450000
                                          File size:50'176 bytes
                                          MD5 hash:CD3C6E9D220BC5F45CCDBC65958B4595
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Joe Security
                                          • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Sekoia.io
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: ditekSHen
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 64%, ReversingLabs
                                          Reputation:low
                                          Has exited:true
                                          Show Windows behavior

                                          File Activities

                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          Mutex Activities

                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          Show Windows behavior

                                          System Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Process Token Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          General

                                          Target ID:10
                                          Start time:17:04:28
                                          Start date:24/03/2025
                                          Path:C:\Users\user\AppData\Roaming\XoilaFixer.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Roaming\XoilaFixer.exe"
                                          Imagebase:0xd30000
                                          File size:50'176 bytes
                                          MD5 hash:CD3C6E9D220BC5F45CCDBC65958B4595
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true
                                          Show Windows behavior

                                          File Activities

                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          Mutex Activities

                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          Show Windows behavior

                                          System Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Process Token Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Disassembly

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: M_H
                                          • API String ID: 0-1939843538
                                          • Opcode ID: c451c7f909467a3ccd274e51b0cf1d585e2042c5a55b9b06f8db50a3107a7d3e
                                          • Instruction ID: f459cbb701e6efa7309049af0731519b28f5b28853acd399e2612c09c2325f1f
                                          • Opcode Fuzzy Hash: c451c7f909467a3ccd274e51b0cf1d585e2042c5a55b9b06f8db50a3107a7d3e
                                          • Instruction Fuzzy Hash: 9A711A31E1C9094FE798EB68945A6BA77E2FFD9751F04027AD00EC32A2DE28AC45C341
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: =M_^
                                          • API String ID: 0-3937918107
                                          • Opcode ID: f3ede3936e004c6c388c3fba0ca2d2a08c0954100260d01ea9a950071acd33f5
                                          • Instruction ID: b3d6033e07caa2e67064e9b2516fa3d98b158d57980c392b9a63b5fb10d257e7
                                          • Opcode Fuzzy Hash: f3ede3936e004c6c388c3fba0ca2d2a08c0954100260d01ea9a950071acd33f5
                                          • Instruction Fuzzy Hash: D5617C62E0D6C29FE746A77858671B93FE0FF9569471800FEC0A9C72E3ED285845C782
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e95422afbcdbd9db298fd8f9c7def2e6b9bab67e80389baa0db6131c65f2853e
                                          • Instruction ID: 85fa5f3cec8a1d786b1c45ac9ecb497b4167eeeebf80625e011c0b8e50f67056
                                          • Opcode Fuzzy Hash: e95422afbcdbd9db298fd8f9c7def2e6b9bab67e80389baa0db6131c65f2853e
                                          • Instruction Fuzzy Hash: F131032164D7D50FD306FB78A8A61E97FB0EF8665070842FBD098CB2E3D92C6849C752
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dcfce018858029634914a54ae01240f8afd4fb377dc8ddd837c76525b8954f03
                                          • Instruction ID: fbe56420f76bfeeb1e19a385ef14ef36880eaec8e76db1f1a6fb41229731f6ae
                                          • Opcode Fuzzy Hash: dcfce018858029634914a54ae01240f8afd4fb377dc8ddd837c76525b8954f03
                                          • Instruction Fuzzy Hash: 1E813731E0CA594FE795EB6C945A2BD77D0FF957A0F0405BAC04EC32E2DD286886C782
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36b755f8cee6185cba6a48ca70fedd4e9505c2ecba16884f7655f86b26165eca
                                          • Instruction ID: bd23af1f454edf636c4fc402c7921bf617f7aab8cf634bd718f44c4db64103d6
                                          • Opcode Fuzzy Hash: 36b755f8cee6185cba6a48ca70fedd4e9505c2ecba16884f7655f86b26165eca
                                          • Instruction Fuzzy Hash: 4C813731E4CA8A4FE35ADB3844162A97BD1FF963A0F1802BAC05DC32E7DD2C5846C781
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6d53cce10aa17556f3c0eeaff9fe0f798c045723d634ef446a8b3e015f1837b
                                          • Instruction ID: 435ee830955142f53b201e94bdeb79581d9dd11ff25e516cd0d4d02943cf6787
                                          • Opcode Fuzzy Hash: c6d53cce10aa17556f3c0eeaff9fe0f798c045723d634ef446a8b3e015f1837b
                                          • Instruction Fuzzy Hash: 72610231E1891D4FE799EB6C904A3BD77D1FBD87A0F1405BAD01EC32D6ED28A8428781
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54f8f76cb7a67c3ef28485345056638892afaeb02adf2ba4ea7b56f2f0a88d3b
                                          • Instruction ID: b453f47e4cfbd3ab341573839ff21f860476963880f9be762fba32c41834a2bb
                                          • Opcode Fuzzy Hash: 54f8f76cb7a67c3ef28485345056638892afaeb02adf2ba4ea7b56f2f0a88d3b
                                          • Instruction Fuzzy Hash: 5C510A20B5DA8A0FE396A77858162797BE1EF86360B1900FBD48DC71A3DD1C5C46C352
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7707e9ddca16798d16f3dd34dc1d3715efb94d3c3ea456432f850a6274ed52ad
                                          • Instruction ID: e6c98b80a171f40019ce9d78c90a1d5c35801257a37868b4350f62c7f42ad3ee
                                          • Opcode Fuzzy Hash: 7707e9ddca16798d16f3dd34dc1d3715efb94d3c3ea456432f850a6274ed52ad
                                          • Instruction Fuzzy Hash: C251243094DA8D8FDB9AEB68C855AB97BF4FF56311F0401BED049C32A2DB649885CB41
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57a7b116cebe19569c1028fdba78ef61e61d9a6ac8067ae9e7ca72b3305b7699
                                          • Instruction ID: 12a9de1997f9d86d1264b8ccb081914829425085829c1cd8635a082d525c5d23
                                          • Opcode Fuzzy Hash: 57a7b116cebe19569c1028fdba78ef61e61d9a6ac8067ae9e7ca72b3305b7699
                                          • Instruction Fuzzy Hash: E751F612A4D6950AE302B7FC78562E87BD1DFC26B5B0806FBD0CDCA0D3DD0C6499839A
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7af736af55a3a55ba3ce70b84a6ce091c7f4eb7ea5ae8ca6099c3238fa0e817
                                          • Instruction ID: 4b4f43a883f0bc6846364a8e1682d31a48791df21e04a70306ef2fc842ee6d4a
                                          • Opcode Fuzzy Hash: f7af736af55a3a55ba3ce70b84a6ce091c7f4eb7ea5ae8ca6099c3238fa0e817
                                          • Instruction Fuzzy Hash: 1841A270908A5D8FEB59EF68D496BB97BE0FF55311F1001AED40AC32A2CB35E885CB41
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6c2f29964b2064eac3f56a608b680faa328a4f28c0d7f5ec91f0d67f972d30f
                                          • Instruction ID: ccaed3722e7740d1ea740384117e7c7fc085e9da954aeec5b2752ab49ded6691
                                          • Opcode Fuzzy Hash: a6c2f29964b2064eac3f56a608b680faa328a4f28c0d7f5ec91f0d67f972d30f
                                          • Instruction Fuzzy Hash: AD41F670D4D6C64FE35B977858262A97FA1EF867A0F1802EAD449C72E3CD2C5846C352
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 756ef0ff5bc187949dddde865519c7af4f5f17e4faa37a172cc2221c912d11ce
                                          • Instruction ID: 0accf570acc148e8ad032b67165e9d0bfb434108581fa005662cc29639581c2e
                                          • Opcode Fuzzy Hash: 756ef0ff5bc187949dddde865519c7af4f5f17e4faa37a172cc2221c912d11ce
                                          • Instruction Fuzzy Hash: 5741A170A08A5D8FEB59EF58D456BBD77E0FB54311F1001AEE40AC32A2CB35E881CB41
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82b946679d065fa2bcaf7b3a2a60b0b0fa845b2c59054bf475f6e1ca9e70033d
                                          • Instruction ID: 58c64b59be1ec131264b34479586fe1d1f99aa97e7c046ddb0271c6578031f6c
                                          • Opcode Fuzzy Hash: 82b946679d065fa2bcaf7b3a2a60b0b0fa845b2c59054bf475f6e1ca9e70033d
                                          • Instruction Fuzzy Hash: AC41AE30A08A1D8FEB99EF58D45ABBD77E4FB59311F10016ED01AC32A1DB75E885CB41
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c8e06c935d14efbc87f69aa795f9041217b1ff28495a8dda8f3b51a37852195
                                          • Instruction ID: 0f9912a998f1ca488beed94cfdcd7170991fe2f838ca447220d3cd1a42a09fc8
                                          • Opcode Fuzzy Hash: 8c8e06c935d14efbc87f69aa795f9041217b1ff28495a8dda8f3b51a37852195
                                          • Instruction Fuzzy Hash: 4241E130A189898FE798E738A4577793792FF99790B4405B9D40DC72F3DE28AC85C382
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3dfc69e8d8a1320f357101121f0b304d60d06dcb427b5e127e5f0a6e0161fe01
                                          • Instruction ID: 801faca81affc841db2bc16de5ef23ca0db811036eed51ffe7b3364b9132d528
                                          • Opcode Fuzzy Hash: 3dfc69e8d8a1320f357101121f0b304d60d06dcb427b5e127e5f0a6e0161fe01
                                          • Instruction Fuzzy Hash: 5231A511E5CA854FE78577B8182A3B97BE1FF99790F0801BAE44DC32A3DD1CA845C752
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7febb341ced35c044a28e62dc59d4fa01c0fd761d4c4e41a1e33f249794de390
                                          • Instruction ID: 1fb6ea01743fe0236f2f8b60e49d28da009bd8adc0c70df622e68d3b818bfaf5
                                          • Opcode Fuzzy Hash: 7febb341ced35c044a28e62dc59d4fa01c0fd761d4c4e41a1e33f249794de390
                                          • Instruction Fuzzy Hash: 7C21C370E189598BF369EB78A4297B977E1FB88B50F5405B9E80DC33D2DE2C5882C741
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0fd23a1188bb9c1761e6d2eec0b8604e4faf8e423dc177fd130ac119bc89492
                                          • Instruction ID: 241543ef3f08a5158c5da38cfdafe8c08a9941e90fd545873a7731ce3f3c31a3
                                          • Opcode Fuzzy Hash: b0fd23a1188bb9c1761e6d2eec0b8604e4faf8e423dc177fd130ac119bc89492
                                          • Instruction Fuzzy Hash: A011D031A08A595FE788FF78A0761BD3AA1BF89A4079445FCE819C37C6DD385940C742
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5813b7888c565cd5a04581109b8b0494ee82a1b395c8da5b6d48060bdeda5872
                                          • Instruction ID: b54c90fe1d23194269c014a9b71fed72c3aa7a43817f4e0081dc4e8918d2faac
                                          • Opcode Fuzzy Hash: 5813b7888c565cd5a04581109b8b0494ee82a1b395c8da5b6d48060bdeda5872
                                          • Instruction Fuzzy Hash: FE01B111B18D4A0BA754F7BC40662BEB682FF886A0B8002FDD02EC32E3CD6C68458356
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea68efd028284bca0127cdf14a6c49f7dd615d803dc5ebb6c4b6acb0a3ba7e15
                                          • Instruction ID: 33f42ecf51544aeb1c751ad1a8e166a6a5adc5fdc403e16f9773977f51411c97
                                          • Opcode Fuzzy Hash: ea68efd028284bca0127cdf14a6c49f7dd615d803dc5ebb6c4b6acb0a3ba7e15
                                          • Instruction Fuzzy Hash: DA01F55184E7D20FE383977868665A27FE1DFC7560B0D00EFE888CB1A3D90C998AC352
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36e935bf3e1508214c42dc45bc60b825c1dfaa34a9ab5b8058c6a40f18df48bf
                                          • Instruction ID: 2c4f9acc205d85988d5d61828e589004aecf3d20b1dbf1e2845aedb0b6966825
                                          • Opcode Fuzzy Hash: 36e935bf3e1508214c42dc45bc60b825c1dfaa34a9ab5b8058c6a40f18df48bf
                                          • Instruction Fuzzy Hash: EE01F962D1CACA9BF3465A7894225B87BE2FFD17A0F480576C019D71F3ED242848C301
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b97c3c7e962b787cfd11d6abfbf97055c72284421cf1f056ffbce52e93d5c0c
                                          • Instruction ID: da9bb92118e392ca2b6ff10cf7e47a3194ba75f584b557e0acca012df2d2080d
                                          • Opcode Fuzzy Hash: 2b97c3c7e962b787cfd11d6abfbf97055c72284421cf1f056ffbce52e93d5c0c
                                          • Instruction Fuzzy Hash: 81017C11E1D6864FE7A767B854622BC2B91AFD27A0F4505BAD08AC71E3DD2C6889C342
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4da7bc2c24beedd856cf610f3402686b844b513188419a63ee04fc648b4586ba
                                          • Instruction ID: 093e2f8518c053fcd452220206c679b1e215f4c69554d873eaa083940aa03a8f
                                          • Opcode Fuzzy Hash: 4da7bc2c24beedd856cf610f3402686b844b513188419a63ee04fc648b4586ba
                                          • Instruction Fuzzy Hash: 4C018F10E4E6864FF79563B854663B92BA1AF91390F4500BAD04AC72E3DE2CA885C342
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2452747373.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07c08ab47124135989c484f3ac9d7bf198edc661277e898ca7d5165861217299
                                          • Instruction ID: 04522d76fc091c8153e905c55d8ee8913830799373e1c6ecfab026bec2985f9f
                                          • Opcode Fuzzy Hash: 07c08ab47124135989c484f3ac9d7bf198edc661277e898ca7d5165861217299
                                          • Instruction Fuzzy Hash: 02E0ED21B1891D4FEF41BBEC945A3FCB7E1EB9C251F100176D51DD3293DE2898418356

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1337122398.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: :M_^
                                          • API String ID: 0-2002838562
                                          • Opcode ID: 667d321f49f7db421f3e88bb90cce0f8a40ce897efd072e5a4de3fb8b004332e
                                          • Instruction ID: 6774981074fc284d09447af5454eab4fa8d38a184b9e0e5513a03cd6cbfc3e12
                                          • Opcode Fuzzy Hash: 667d321f49f7db421f3e88bb90cce0f8a40ce897efd072e5a4de3fb8b004332e
                                          • Instruction Fuzzy Hash: E341E937D0D6994FD301B7ACA8A61E97BB1FF8226570806F7C089CF1A3DE28644AC755
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1337122398.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: =M_^
                                          • API String ID: 0-3937918107
                                          • Opcode ID: b725a8f3884a88a2b4ac433b37b8d9060bccf3aaea06d835742f81e918e70ad8
                                          • Instruction ID: c5ab4811b110b10278aa7f7ba92dae11cdddadd59e77b0501ea4eeb6df366a5b
                                          • Opcode Fuzzy Hash: b725a8f3884a88a2b4ac433b37b8d9060bccf3aaea06d835742f81e918e70ad8
                                          • Instruction Fuzzy Hash: B1618E62D0D6C29FE741A7B848670A93FE0FF9539475400BAC0A9C72E7FD286845C782
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1337122398.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7d0917d66ca6dd9000e32556d563951b77f2a826aa7e1e8769d1e6368be28b0
                                          • Instruction ID: f9482fabe1c00f153f24c7d27126073f09e57465a57d5fe14c185aa56bb68960
                                          • Opcode Fuzzy Hash: f7d0917d66ca6dd9000e32556d563951b77f2a826aa7e1e8769d1e6368be28b0
                                          • Instruction Fuzzy Hash: AA31EE30A189198FE398E728941A77A72D2FF8D390B4405B9D00DC73ABCE78A8428785
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1337122398.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9483ce47ca1138ca72aaa82649f817bd4b429a6d9e142b5a84f1d38ca4db240f
                                          • Instruction ID: 4620a7d35c48ac32ac1d91d0c6fed4f6e5fecc2d6715968b1925c804a36d0bd5
                                          • Opcode Fuzzy Hash: 9483ce47ca1138ca72aaa82649f817bd4b429a6d9e142b5a84f1d38ca4db240f
                                          • Instruction Fuzzy Hash: AE110831608A195FE744FBB880661AF3AA1BFCA6407C144B8E419C378BDD386904C749
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1337122398.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1bbdad116981c5fd0c9f991aed17e59f44ad601e2ef416cbf7e7c841cf42e720
                                          • Instruction ID: 20454bc1f57d24f6f0d7e95ed846f8ac4c88419fea4fd378616ac9394055fe36
                                          • Opcode Fuzzy Hash: 1bbdad116981c5fd0c9f991aed17e59f44ad601e2ef416cbf7e7c841cf42e720
                                          • Instruction Fuzzy Hash: 4C01F95144D7D20FE383977858665A27FE1AFC7560B0D00EFE484CB1A7D91C994AC352

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1419098602.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: :M_^
                                          • API String ID: 0-2002838562
                                          • Opcode ID: bd18816cedd389108fd9c389193a71f0bdae3f3d657c4b6fbe97a952f79f1ebb
                                          • Instruction ID: fc0da51f511134ebad4296043185ed92c4ac8173abcd143a549066fe7f00aafa
                                          • Opcode Fuzzy Hash: bd18816cedd389108fd9c389193a71f0bdae3f3d657c4b6fbe97a952f79f1ebb
                                          • Instruction Fuzzy Hash: 3241D837D0D6994FD301B7ACA8A61E977B1EF8226570806F7C089CF1A3DE28644AC755
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1419098602.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: =M_^
                                          • API String ID: 0-3937918107
                                          • Opcode ID: 75b56ae64c606398d81b7361242e74a05f31d6f7c7021539807464d7be2a4c24
                                          • Instruction ID: 05e733a0981336786510342ed85f1011b70bc83dbe182d2dbff9caecaf098339
                                          • Opcode Fuzzy Hash: 75b56ae64c606398d81b7361242e74a05f31d6f7c7021539807464d7be2a4c24
                                          • Instruction Fuzzy Hash: 5F617C61D0D6C69FF781E778486B1F93BE0FF8569471440FAC0A9C72A3ED285845C782
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1419098602.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bc0cc56ad6cede224a381623d7b8a189776931dcb06b5195442196e37c86d5b
                                          • Instruction ID: 199d05448b0a71d367de6ae3125e55d2520bd6318d4d2eea486b48e0cf01aca7
                                          • Opcode Fuzzy Hash: 5bc0cc56ad6cede224a381623d7b8a189776931dcb06b5195442196e37c86d5b
                                          • Instruction Fuzzy Hash: BF318F30A189598FE6A8F72C805A77873D2FF98794B5002B9D44DC73A7CE2D68428781
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1419098602.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f986eab6f4ba4528a70363832fe55bdfe9cc910da1a609eca26f4c2ddf37fc11
                                          • Instruction ID: 317b35db16af27f8a88b7c3840323b2a3a361d1d583dc91c6d71300190b7afc2
                                          • Opcode Fuzzy Hash: f986eab6f4ba4528a70363832fe55bdfe9cc910da1a609eca26f4c2ddf37fc11
                                          • Instruction Fuzzy Hash: 29118130608A9D9BE794FB78806A1FA37E1BF8864478081B8E499D3796DD396801C756
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1419098602.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_7ff88b4e0000_XoilaFixer.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4b42b1eac10e9e52228dd201605510b0a4a58fe5b72879ee87ae39054c4ffb1b
                                          • Instruction ID: a8fb9bed050f243e702b849392d63ce5a8f0ad62c10f71cac76848cb6cbf7ec8
                                          • Opcode Fuzzy Hash: 4b42b1eac10e9e52228dd201605510b0a4a58fe5b72879ee87ae39054c4ffb1b
                                          • Instruction Fuzzy Hash: 9301D21080E7D20FE383A67858665A27FE19FC6560B0900EFE888CB1A3D90D9886C352